RE: Microsoft Security (...how to reassure customers of)
From: Botwick, Jason (GEI, MORT, Contractor) (Jason.Botwick_at_ge.com)
Date: 01/22/04
- Previous message: ajq_at_comcast.net: "RE: Microsoft Security (...how to reassure customers of)"
- Maybe in reply to: Shane Colley: "Microsoft Security (...how to reassure customers of)"
- Next in thread: Harlan Carvey: "Re: Microsoft Security (...how to reassure customers of)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Thu, 22 Jan 2004 14:15:19 -0500
What lies?
Good luck trying to win a debate about which is more secure out of the box,
Linux/Apache or Windows/IIS, or which combo is easier to keep secure over
time.
Even "properly" configured MS systems have been repeatedly shown to be
vulnerable to exploits with severe consequences, and that company's response
to these vulnerabilities hasn't always been forthcoming and rapid nor have
their remedies always been easy to apply or complete and correct in their
functioning.
I don't know why you'd want to reassure your potential clients that
Microsoft systems are secure, or even that it's anything less than a
significant and ongoing effort to configure and maintain them to be as
secure as possible--in fact, you'd be doing them a disservice if you did.
I'm not trying to start yet another bash MS thread--there are plenty of
those. But it's a pretty well accepted fact that certain particulars of the
fundamental design of Windows, combined with MS's historical attitude and
competence with respect to security/patching/etc, combined with the wild
wild web makes it a difficult OS/web server to keep secure. You may argue
that it's not difficult if you know how to "properly" secure Windows and
IIS, but at minimum it is an ongoing task that requires vigilance and can be
extremely time-consuming.
You might suggest to your potential client that Apache/Linux systems also
need to be secured, and that this isn't a trivial task either. If you take
securing your systems and applications seriously, say so and back it up.
-----Original Message-----
From: Shane Colley [mailto:shane@sonatalabs.com]
Sent: Thursday, January 22, 2004 11:58 AM
To: focus-ms@securityfocus.com
Subject: Microsoft Security (...how to reassure customers of)
My company focuses on web design (portal/CMS) for small/midsize companies
and non profit orgs. We generally design with ASP.NET/WIN 2003 Server/MS
SQL Server.
We have recently run into a problem with a local competitor. The competitor
generally designs flash and php sites hosted on Apache/Linux.
The competitor is apparently going to our customers and potential customers
and trying to scare them off by bashing Microsoft/IIS.
Security Holes in improperly configured MS systems are no secret... so
people already have this idea in their head /before/ this competitor gets to
them.
It's like the competitor is playing off of the customers fear... and once
they are afraid, it appears the burden of proof lies on us.
I'm looking for suggestions and/or resources on how to counter this. If you
or any of your companies have run into similar situations, I'd love to hear
how you handled it.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: ajq_at_comcast.net: "RE: Microsoft Security (...how to reassure customers of)"
- Maybe in reply to: Shane Colley: "Microsoft Security (...how to reassure customers of)"
- Next in thread: Harlan Carvey: "Re: Microsoft Security (...how to reassure customers of)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
