BOSTON -- Although some experts and IT professionals say Microsoft appears to be on the right track in terms of improving software security, many said they believe that software vendors would be more focused on security if they were held liable for system breaches.
Some customers at the most recent stop on the Microsoft Security Summit tour were looking for answers on how to shift some of the pain they experience in dealing with security problems back to the
It may not be feasible to pin blame on a software manufacturer, users said, but many believe vendors need to share responsibility. "It would certainly make them try harder," said Scott Bradner, senior technical consultant at Harvard University. However, Bradner said that he didn't think that companies should be liable if they release fixes to known problems.
Other customers agreed.
"They are selling products -- if you are to trust them and invest in them then they should be liable," said Mostafa Baliamoune, an engineer at Saada Co., a Malden, Mass .-based company that does software quality assurance testing.An idea that's just not practical
While in concept, the vendor is the correct place to place the liability, in practice it would be almost impossible to enforce, said Mitchell Hoffman, a principal at IT consulting firm Hoffman Associates in Boston.
"It's impossible to measure the damages," said Hoffman, who is also an attorney. "And if someone sues and gets a judgment, it could cripple the industry."
The fact is that customers wanted computers on every desk and wanted to pay just $1,000 apiece for them, rather than make a major investment in a mainframe, Hoffman said. Apple Computer Inc. and Microsoft made it possible to avoid creating IT armies to secure mainframes and the
"Apple and Microsoft created [this situation] but cannot fix it," Hoffman said. "The public has to fix it."
Many of the customers attending the Security Summit had not previously heard Microsoft's top brass deliver a progress report, so they were looking for some news that relief from worms and viruses would be forthcoming.Microsoft security chief outlines strategy
Microsoft's top security executive, Scott Charney, was on hand to outline all of the advances and improvements that Microsoft has made to its software development process since the advent of the Trustworthy Computing Initiative, which Charney oversees as chief security strategist.
Charney echoed comments made by other Microsoft executives in other public venues as the summit continues its 20-city U.S. tour. "It's not just about the technology, but the people, process and the technology," he said.
Charney said Microsoft needs to help users to make the right decisions regarding security. "But it will continue to be a shared responsibility," he said.
Customers were looking for news about specific technologies that would help them do their job. One IT administrator at a Canton, Mass.-based automotive parts distributor, who declined to be identified, said he was interested in learning more about Windows Update Services (WUS), the successor to Software Update Services. WUS is due out later this year.
For companies of any size, security breaches can be devastating, particularly because there are few options in platforms. "We started with Windows about four or five years ago because it was cheaper, but then the security issues started to break out," said Don Lee, IT director at Systemic Research Inc., in Norwood, Mass.
"We didn't think much about security back then," he said.
Lee said his company, which provides education consulting to the U.S. government, runs a mixture of Windows 2000 and 2003 machines.
"I just came to make sure [Microsoft] was living up to its commitment," Lee said. Lee said Charney didn't really make him feel much better, but he said he does see Microsoft making an effort.