« The prayer of the overweight.... | Main | Welcome to the party... »

October 02, 2003

Beyond Patching?

NetNewsWire shows the 'summary' for entries and it contained this gem which was so good, I don't even have to read the full article from CNet:

Microsoft moves beyond patches
Conceding that its strategy of patching Windows holes as they emerge has not worked, the software giant plans a new security effort focused on what it calls "securing the perimeter."

Makes sense to me and fits with earlier discussion here about discontecting Microslosh boxes from the internet. Secure the perimeter by using real computers (TM) that run Real Operating Systems (TM) which effectively means anything not made by Microslosh - even a C64 or Tandy Colour Computer would be more secure :-)

Actually if you read the article it is a typical "inside the box" look at the problem. The quotes run along the lines of: "we issue patches", "customers won't install them", "speed of internet means the cycle from bug to patch is getting tighter", "need to issue patches more frequently", "need customers to patch more often", "customers still won't install them" ad infinitum.

Hop outside the box and ask yourself something. How does Open Software deal with this? Answer: by writing the code more carefully to start with. Instead of slapping the customers around for not installing patches, slap the coders (and their managers) around for producing buggy code. The problem will be rooted in two key causes - first there is the inability to write good, secure code (most universities no longer teach this because they have become insensitised by exposure to lousy software) and secondly there is the way that quick coding as opposed to good coding is rewarded internally. Promote coders whose software does not need to be patched rather than the coders who generate the most function points / lines of code / whatever.

Where is Ken Robinson when you need him?

P.S. Ken Robinson was a lecturer (now a professor) at UNSW who taught me (in second year, a long time ago) a subject called something along the lines of "program proving" which involved writing code in some horrible language that included pre-conditions and postconditions for every statement. The deal was that you could prove (in this language) exactly what the program would do. The rigour of learning this way has always stayed with me and I think it (or something similar) should be compulsary for all programmers.

Posted by Ozguru at October 2, 2003 09:10 AM


Comments


Looks like the last nail in the coffin. Down with IE, hurray for Mozilla.

Posted by: Tony S. at October 2, 2003 09:10 AM