No magic bullet for security

I am too tired today and will refrain from getting onto my soapbox. I will say for the record that while MS works hard at using the word security, they still need to do something about their own track record before most people will ever take them seriously when compared to OSS in the security field.

Some say that open source software is inherently secure because the “open source process” makes it so. Wrong. Open source software, and the collaborative culture that surrounds it, have surely enhanced Firefox’s security. But also necessary is a disciplined approach to reducing the attack surface area. And one of the most vocal and visible proponents of that discipline today is … Microsoft.

The recent turnaround of the company’s IIS (Internet Information Services) Web server was remarkable. Version 5 was security-challenged and widely deprecated, version 6 is rock-solid and arguably safer than Apache. If the long-delayed refresh of Internet Explorer has been rethought along similar lines, it could prove to be an excellent platform on which to safely tap into the power of AJAX — which, after all, Microsoft invented. [Read the rest]