Microsoft is blaming developers for not making secure enough code and is condescendingly offering to help them out with that.
The firm, which obviously believes its OS to be perfectly secure – save for some dodgy developer coding which apparently leaves it vulnerable to all kinds of nasties – has released a report claiming that for the first half of 2009, 81 percent of reported vulnerabilities were in non-browser applications, five percent were in Microsoft products and the remainder were in browsers.
Indeed, Microsoft now reckons “Today’s attackers are no longer script-kiddies looking for kicks. They’re sophisticated criminals after money.”
Gone are the days of playful hacker “one-upmanship” over professional software engineers, says the firm, lamenting that these days its no longer about the love, but about the money. So sad.
“As a result, attackers will exploit any vulnerability in order to infiltrate a network, no matter where in the software stack they find it,” reads a Microsoft blog.
Cheekily laying the blame on hardworking, harassed developers, David Ladd, Microsoft’s principal security program manager had the gall to complain that security was “not something app developers have prioritized in the past.”
Fumbling to make that sound slightly less arrogant, Ladd noted that this was probably because developer focus had “been getting a product that has a competitive edge in terms of features and functionality to market as quickly as possible.”
“That’s not a criticism, it’s just a factor of commercial priority,” he stuttered on. Hole. Digging.
Furthermore, according to Ladd, “most software developers want to write more secure code. However, many just don’t know where to start, or assume security means added cost and longer development cycles.”
So, to encourage those silly old developers to “produce code with fewer vulnerabilities” and help Microsoft hack-proof itself, the firm has set up what it calls the Trustworthy Computing (TwC) Group, back in 2002 after a rather nasty bout of worms plagued the firm.
From the goodness of its heart, Microsoft says it believes the learning which emanates from TwC should be shared “with the broader developer community,” and to this end, the firm has released “free secure development tools and expertise in the form of white papers and other instructional guidance.”
Less, ‘help us to help you’, and more, ‘we’ll help you to help us. PLEASE.’
“We could take the view that we created the SDL, it’s ours and we’re keeping it,” said Ladd, summing up Microsoft’s policy on just about everything else, “But what’s the point in that? An entire developer community that creates code with fewer vulnerabilities is not only better for Microsoft, but for everyone.”
Ladd admits that “writing code with zero vulnerabilities is not possible,” and reckons his firm (and the developers he blames for all its faults) “still have plenty of work to do.”
“Attackers will continue to pose threats,” he warns, whilst reassuring developers that Microsoft’s “experience is unique among software developers.”
“Over the past nine years or so we’ve learned the hard way how to develop code more securely. We believe the SDL process is an industry best practice,” he concluded.