Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/1/2008
04:02 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Web 2.0 Security, Microsoft, And Yahoo

People always seem to talk about how important application security is to them. But rarely do we --as consumers of technology -- have a chance to have a profound impact on the quality and security of software applications and services. But with Microsoft's pending acquisition of Yahoo, a new opportunity arises.

People always seem to talk about how important application security is to them. But rarely do we --as consumers of technology -- have a chance to have a profound impact on the quality and security of software applications and services. But with Microsoft's pending acquisition of Yahoo, a new opportunity arises.It took years (and years) of browbeating Microsoft into improving the security of its operating systems and applications. It took the efforts of security researchers finding software flaws, and holding the company to task to fix them. And it took its large corporate and government agency customers -- largely growing weary of the mundane and too costly task of patching -- to pressure the software company to improve its software.

And improve its software it has. If you don't think so, just go back and look at IE 6, pre-Windows XP SP2, or even pre-SQL Server 2005. Microsoft, and many in the software industry, have come a considerable way since those bad days. But there's still much to do in the industry to reach a level of truly sustainable computing.

This is perhaps especially true in the nascent area of Web 2.0 development. Let's hope Microsoft brings its Trustworthy Computing Initiative, or more precisely its Security Development Lifecycle to Yahoo, should the $45 billion deal come through.

That's not to say that Yahoo hasn't done a decent job at handling security issues. It has done a "decent" job. And in my opinion this is an area where Yahoo has an edge up on Google. The emphasis on security could certainly be better.

And now, with this deal under way, there will come an even more significant push to social networks, cloud computing, and Web applications. In fact, now the real competition will likely get under way between Google and Microsoft in the Web application market.

But with its Trustworthy Computing Initiative, and Security Development Lifecycle in place, Microsoft (I can't believe I'm about to write this) could turn security and Trustworthy Computing into a differentiator.

If Microsoft doesn't bring its SDL to the development cubes at Yahoo, it's up to us to let them know what we think about that. It's happened before.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...