OWASP Navigation
« On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future
Roadmap to a Partial Trust Managed Code world »

‘Security Awareness Modes’ & the ‘day Microsoft changes’

While analyzing the different responses and attitudes that companies have in relationship with security, I came up with the following 4 Awareness Modes which I am now calling the ‘Security Awareness Modes’

  • ‘Awareness Mode 1) Blissful ignorance’ - When companies have no idea of their vulnerabilities. This changes when they are attacked or pay for a competent and thorough security penetration test
  • ‘Awareness Mode 2) The Patching Dance’ - When companies know where the problems are, and issue regular patches to solve them (this mode usually contains a healthy security full-discosure market)
  • ‘Awareness Mode 3) The SDL Dream’ - After a while in mode 2, companies start to fall for the dream that ‘we can detect, solve or greatly reduce these issues using a strong, security focused SDL’
  • ‘Awareness Mode 4) The Alignment’ - Once the limitations of Mode 3 are apparent (and correctly diagnosed) the companies realize that the only ‘real’ solution is to change their business model (

Microsoft is currently in Mode 3 with its 2007 releases (Vista, Office, Sharepoint, etc…) and on Mode 2 with its other OSes (and products) and Mode 1 with its online services.

The day the following happens, will be the day that Microsoft is aligning its business model to its security requirements:

  • De-coupling of OS and it’s current bundled applications (i.e. stop selling Megalomaniac Operation Systems, and start selling each major component separately (Kernel, windows GUI, User Applications, IE, IIS, etc….)
  • De-coupling of the .NET framework and its core components
  • Focus on Managed/Verifiable code (creating the ‘Brand’ that will make clients recognize such products)
  • Really embracing Open Standards and stopping ‘lock-in predatorial behaviour’
  • Running online services under partial trust (making their clients aware of it, and tying its SLA to it)

Note that moving software in-house to provide it as a service (as google will soon find out) is not something that has less security requirements than a normal ‘desktop/server packaged applications’, it has MORE security requirements since its security exploitation will affect ALL customers (i.e. in a ’software by service’ mode, Awareness Mode 4 is even more important)

This entry was posted on Monday, March 5th, 2007 at 5:54 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “‘Security Awareness Modes’ & the ‘day Microsoft changes’”

  1. Security Implications of Inhouse Software « Mark Curphey - SecurityBuddha.com Says:
    March 6th, 2007 at 3:14 pm

    […] Implications of Inhouse Software As always Dinis Cruz shares a very interesting view “Note that moving software in-house to provide it as a service (as google will soon find out) […]

  2. Internet Security and Programming » Blog Archive » Security Awareness Modes’ & the ‘day Microsoft changes’ Says:
    March 7th, 2007 at 3:13 pm

    […] Read more… Tags: blissful ignorance, mode 2, modes, patches, penetration test, relationship, security awareness, vulnerabilities Posted on Thursday, March 8th, 2007 at 3:12 am and under category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « ‘Taking Action to Protect Sensitive Data’ ‘Hacking SQL Server’ » […]

Leave a Reply

You must be logged in to post a comment.