This post originated from an RSS feed registered with Agile Buzz
by James Robertson.
Original Post: Scoble talks about security at MS
Feed Title: Cincom Smalltalk Blog - Smalltalk with Rants
Feed URL: http://www.cincomsmalltalk.com/rssBlog/rssBlogView.xml
Feed Description: James Robertson comments on Cincom Smalltalk, the Smalltalk development community, and IT trends and issues in general.
The problem is, at some point you'd have to ship new products. Our investors demand that too (new products are where new revenues come from). And, then, you'd be shipping new code with potential new vulnerabilities. Any code that does something interesting is a potential security problem. Think about that for a minute.
For instance, Microsoft just shipped OneNote. It doesn't have an API. Why? Because of security issues. But, it really limits the functionality of the app. I'd love to have Radio UserLand talk to OneNote, so I could use OneNote for blogging. I can't do that today because of security concerns.
Two things come to mind
Security is in some sense a trade-off with aapplication integration (as alluded to above. In the past - mostly to please customers, IMHO - MS has rated interop higher than security (see MS Office, COM, DDE, etc)
If MS had been using a managed environment for these apps, it would be far less of a problem. Buffer overflows just aren't an issue when I integrate plugins into BottomFeeder, for instance
However, it's not simply a matter of MS hosting stuff on top of the CLR from here on out either. There's a huge pile of legacy applications, and most of them aren't Microsoft's code. This is going to be an issue as long as people continue to use C and C++ for application development - and not only on Windows. As Linux popularity grows, start watching that platform for interesting buffer overflow issues more frequently...
Previous Topic
