A lingering feeling that I’ve had for roughly the last year was solidified for me last week at Blackhat/DEFCON. Making fun of Microsoft’s security program is now passe. In fact, it’s so far gone that the opposite is now en vogue. And for good reason.
I’ve been doing a lot of work on risk assessment, threat modeling, and application security in the last few months, and in all my research travels I’ve been hitting the same thing over and over.
The only company even attempting to do
$foo_security_thingcorrectly on a mass scale is Microsoft…
I keep hearing this. Over and over. Everywhere. This isn’t to say that nobody else is doing security well, but I would say that among the big companies that are security-aware they’re probably still significantly behind Microsoft.
A significant case in point can be found in Internet Explorer 8‘s new XSS filter. According to Rsnake, who should need no introduction with my readers, the filter is pretty damn good. This may seem like a small thing to many, but when combined with everything else, e.g. hardcore coding standards, inviting security researchers to tear up their apps, etc., a clear picture is being drawn.
So the idea is this: blindly making fun of Microsoft’s security now betrays a lack of current security knowledge rather than l33tness. Interesting times we live in.: