Unfortunately most of the "hard" work will be metrics massaging, redefining words and covering stuff.
But the first phase will be a lot of "security & quality" presentations to the troops, some hiring and ground prep-work so the blaming can be done when things go south.
I would like to be more positive, but I already saw this cycle too many times.
How about security being part of the requirements to keep a job instead of monetary bonus? and this has to be applied to the top, only then to the bottom.
If the person was notified of a security problem, and ignored it, or tried to sweep it under the rug, instead of taking it seriously, then absolutely fire them, but assuming no malfeasance, firing people just leads to institutional knowledge loss which would lead to worse outcomes.
Executives and high ranking managers might not be people to you, but they also have invaluable institutional knowledge that will lost if they get fired.
We are talking executives here, it's their job to organize teams and work in a way to achieve stated objectives. This is reality for every higher-up position and one of the reasons they are the way they are, etc.
I see some devs thinking I was talking about them and getting defensive :) It's not a "we discover a bug, we fire you" situation, that's ridiculous.
For huge mistakes sure. But unless people even top of the chain are more worried about fixing the problem than looking good you have a recipe for disaster.
I cannot speak for everyone, but in my neck of the woods there are specific deliverables like locking down server access more, removing poorly secured test accounts and older auth methods in general, locking down network in terms of what can access what, cleaning up dependencies, etc. There's a list of about 20-30 things that are to be measured automatically and driven to ~0.
>How about security being part of the requirements to keep a job instead of monetary bonus?
Because the monetary incentives are greater than the position for executives, and they are the ones to be accountable.
Of course this is a form of lip service. Of course there's way more to do. But they are making a very public statement to prioritize security. That's a positive.
A bit curious how is it worded. I wonder, will it actually improve security, or will it be metrics that are being played around actually decreasing security (e.g. Teams might stop registering/tracking issues as a way of not having registered bugs)
Wow, the first two things I thought of after reading the first few lines of that article were:
- the Peter Principle (as a loosely related concept)
and
- that the new MS diktats would immediately be gamed.
What was my surprise when I saw both those concepts mentioned in the See Also section!
I did not know about most of the other See Also points, though, except for Confirmation bias, which I had read about on Hacker News, and the Hawthorne Effect, which I had read about elsewhere, IIRC, in a Dale Carnegie or similar self-help book.
"...its Senior Leadership Team's pay partially dependent on whether the company is "meeting our security plans and milestones," though Bell didn't specify how much executive pay would be dependent on meeting those security goals."
"Perhaps they should tie executive pay to customer satisfaction?"
MS is a publicly quoted company wot sells shares. They are therefore answerable to their shareholders. Shareholders first, everyone else comes second is largely the first order of the day.
It's a bit shit when you try to factor in some sort of moral angle but that is how things are.
I think what regulators should start doing instead or on top of of inflicting monetary fines is to force companies to mint a significant amount of new shares and put them in escrow accounts, then in case some future event happen (security incident meeting some specific criteria for a catastrophic incident), the share should be put on sale at market price and used to refund the affected customers and pay for the regulatory costs.
In this way, executives and policy makers have a harder time moving on and not being accounting before the effect of their bad decisions is apparent, because the reputation for sharesholder value destruction could haunt them. Executives will be incentivized to create a better security culture.
The Ars Technica article is a lot more critical of Microsoft and provides some history. That said, it is frustrating how most of the links just link to other Ars articles.
When I click on link in an article, almost always it’s because I want to cross reference the information on a different source. If the link takes me to another article on the same site, I usually stop reading altogether.
Funny how I've heard from an Azure employee who worked with many big clients that very few among them cared about security - the incentives were just not there.
Seems like they're finally doing something about that, to set an example for the rest of the industry.
I doubt that's the case. I've been working in/near enterprise sales for quite a while now. Security is considered unglamorous table-stakes: companies won't buy your stuff because you're doing all the right things, but they'll definitely not buy your stuff if you're not.
Giant products like AWS and Azure are too big to grill about their security controls. If you try to ask an AWS rep about something, they'll direct you to their security portal where you can download a SOC2 report and a few other things. That's about all you'll get from them unless you're equally huge. The most you can really go by is their reputation. If you trust AWS, buy their product. If you don't, don't. That's all the prior research a typical < 10,000 employee business can possibly do.
My suspicion is that your friend is only talking to clients who've vetted Azure and figured "it's Microsoft: they're big so they probably know more about it than I do". It's not that they don't care. It's that there's nothing they can do about it. The people who don't already trust Azure would never have gotten as far as talking to your friend in the first place.
We're getting drowned by security checklist by clients now.
A lot of them don't make much sense for us, we primarily make a Win32 B2B program hosted by these customers themselves and a lot of the checklists are all about more generic web SaaS things (because we charge like SaaS). But the person on the other end wants all the questions answered regardless.
Seems that as long as you can put a checkmark in a box that you follow various "best practices" and whatnot, actual details don't matter. You put a checkmark in a box, you did your best.
From being on the buying side, it's likely that the person sending you that questionnaire knows a lot of it is irrelevant to your situation, but they're personally reviewing 100 vendors this year (no, seriously) and there aren't enough hours in the week for them to make exceptions for everyone.
Very often the best answer would be like:
> Q: Do you use multi-tenant databases?
> A: N/A: you'll be deploying our product on your own server.
That's actually a perfectly fine answer! The person reading it doesn't have to explain large gaps in the answers to their boss. It documents why this isn't relevant in a way their successor can easily understand next year when they're reviewing those 100 vendors as part of their annual Vendor Management Policy™ process.
You can write whatever you want. Nobody is ever looking at that document again. By the time the annual process rolls around the process has already changed so much that it's now insufficient. The mandate from management will be to "do it right for future vendors, but blanket approve the previously signed agreements"
It's the same thing every time because the actual security is in the details, but details are so fucking boring.
I get it! I’ve been on both sides of that table many times.
If you see the same questions over and over and over again, consider filling out a SIG LITE questionnaire and offering that to buyers from the start. If you can give them all or most of the info they need in a common format, you might be able to head off a lot of follow-up questions.
FWIW from my own experience with auditors, the process is really kind of superficial. Yes, they can identify the most common checklist-based gaps, and that's what tends to be the low-hanging fruit for attackers as well. But they would never go deep enough to identify something that a determined attacker could exploit.
It really depends on the Team. Trying to broad stroke anything about Microsoft engineering is impossible because it's a patchwork of business units and teams that rarely communicate and work together unless forced. Some Teams are very visible and have top talent on them that prioritize and think about security. Some services do not... problem is security is very much a "you're only as strong as your weakest link" kinda thing.
This is a step in the right direction to get the top-layer prioritizing security.
Couldn’t agree more. I can’t emphasize enough how BIG Microsoft is and how many dimensions of security there are. Nobody has as many attack vectors as we do. I’m pretty confident in saying that. It’s a super hard problem and nearly impossible to enforce all of them from an organizational standpoint. But this is a great step in trying to do so.
That's true - he was talking about clients though, if my memory serves well.
The main challenge he highlighted is there're no financial incentives for most companies in the industry to stay secure (unless you're a security company) - the punishment (including reputational risk) is just way too small.
How could you possibly secure anything when the other half of the company is shoving ads into the start menu and implementing "ai search" to record every keystroke and screen text into perpetuity?
Even the good people at microsoft will forever be undermined by this shit, complete demoralization and throwing their hands up to doing anything properly
They are antithetical really. AI is fundamentally about undefined behavior because we cannot define it better algorithmically (putting aside the AI algorithms themselves). Security is about avoiding such undefined behavior and only doing things that we expect. At best you have a very secured sandbox to keep the AI in, away from anything but user input and training data.
If anyone is dumb enough to trust Microsoft after all the shit they've pulled over the last 30+ years, including the most recent collection of large-scale security fuckups, they deserve what they get.
Charlie has been at MSFT a little while now, I suspect he knows how the machine works.
I would expect this to result in lower feature velocity. In theory features are tied to increasing revenue. If so, I wonder if he is actually willing to make that trade off.
I wonder why is Microsoft doing this now? They had blithely ignored security for many years. Their products have been insecure by default as long as I can remember.
I suppose it all hinges on whether Microsoft takes a hard line against executives failing to honestly disclose security incidents. Ideally they'd treat it as a form of fraud.
This is like the Samsung managers that have to work 6 days a week. What a drain on morale.
Software in particular has been so lucky to have so many people able to steam ahead, break ground, make features and new products. This caring for the rest, looking at longer lifecycle & maintaining... It's not fun. It's not inspirational. It's not fast. It doesn't feel productive or creative.
And that's some of the next decades for this profession. An end to fun and innovation. More being yolked and driven by external demands & stressors. Good luck all.
Fun fact: for many years now executive (and manager) pay at Microsoft has been tied to meeting diversity quotas, and hiring straight white men when you’re under quota required exec approval: https://www.cspicenter.com/p/what-diversity-and-inclusion-me....
How this particular new “tying” of one thing to another impacts the overall state of things is anyone’s guess.
I know people who work there, too. Some of them are execs. Let’s just say I don’t need help framing the article. My sole motivation is to get things to where merit and merit alone determines who gets hired and promoted. Not genitalia, sexual identity/orientation or color of the person’s skin.
>My sole motivation is to get things to where merit and merit alone determines who gets hired and promoted
The problem is that "merit" is an incredibly loaded term. It _sounds_ nice. But reality is messy.
For example, how do you explain the incredibly tight and consistent correlation between the income group you're at by 30 and the one you were born into? Where is the merit in that?
Racist and illegal yes. But common. All of FAANG use discriminatory quotas behind the scenes for promotion and hiring, and often the lower level employees have no idea because these actions are done quietly by individuals or only discussed in verbal meetings to leave no records. Individuals make decisions that are discriminatory because rewards for them (senior managers and executives) are based on quotas (diversity goals). For example, in a few of these companies you aren’t eligible for a senior promotion unless your team has certain minimums on protected traits.
If they were really doing racist and illegal things they'd be getting sued. This "don't hire white men" thing only exists in the fever dreams of right wingers.
This is absolutely false. Speak to any higher level manager at big tech companies and you’ll hear the truth about various hiring and promotion programs that these companies never put in writing or talk about publicly. The reason these companies don’t get sued is those individuals are afraid of social and professional retaliation that may affect their careers, even though they’re on the right side of history.
Yeah, because it’s bullshit. How would you even know the candidate’s sexual orientation? Even the article they link doesn’t say that, and mentions multiple times that there were no quotas. The most it says is “it seemed it would make HR happy” which as an interviewer I don’t know why I would give a shit about. Other than asks to throw another random candidate in the loop, which happens all the time for all sort of reasons, there is no more “push” because yeah that would be illegal.
If you think that an increase from 6.5% to 7% in Hispanic employees or from 28.6% to 29.7% in women is all driven by requiring exec approval for straight white men, then you’re delusional.
You don’t have to believe, I read the whole goddamned linked “article”, and parent misrepresented even that. There was a VP that approved promotions, but no particular requirement just for straight white males. That’s just one example of parent’s BS. They got other stuff from the link wrong, too.
Straight white males are the only “non-diverse” demographic. So they aren’t mentioned specifically in diversity quotas, of course. But if you hire too many of them, you can kiss some part of your bonus goodbye on account of not meeting quotas. How this is legal IDK
> But if you hire too many of them, you can kiss some part of your bonus goodbye on account of not meeting quotas. How this is legal IDK
Because you’re literally pulling that out of your ass. Even the article you link never mentions that and mentions multiple times that there was no such thing.
Ah but that’s not how they’re selling it. None of this is sold as “we discriminate against white men” - too crude. Instead it’s “we hire more women and minorities”. Same thing, but sounds admirable.
Note that I’m not necessarily tying years of hardcore DEI quota hiring per se to their recent failures. For all I know the two things might be unrelated. I’m just saying they already tie exec compensation to all sorts of other things some of which might conflict with one another.
DEI is not the same thing as "you can't hire straight, cis white men without explicit approval." A policy like that is illegal. The fact that you would conflate them tells me you don't know what DEI actually is, and are just repeating right wing talking points.
Requiring approval to hire someone due to any protected characteristic is illegal. That policy would result in massive lawsuits. You are making things up.
He’s not making anything up. Frankly that you don’t believe something that is so widespread and well known tells me you’re not in the industry or at least not in management. Everyone knows what protected characteristics are but they still break the law because it’s unlikely they’ll get in any trouble. And that’s because everyone who is against these discriminatory programs is too afraid to speak up.
I have been in the industry for 25 years. I have hired dozens of people, including recently. We are not even allowed to ask someone's race, let alone consider it when hiring. The only people who think things work the way you and the other commenter do are delusional right wingers.
DEI is about inclusion (that's the I) of people who have traditionally been excluded from opportunities. It's not about keeping anyone else out or down. Try actually educating yourself instead of repeating brain dead nonsense.
> The only people who think things work the way you and the other commenter do are delusional right wingers.
You’re simply dismissing others’ experience, but I’m not lying to you when I say that many of us have direct experience with this. At the big tech companies this is normal practice. Also race questions are standard in the application process, even if optional, and even if you don’t answer them, internal diversity teams will guess at people’s races where they don’t have data. In hiring decision meetings, people definitely discuss protected traits as a reason to say yes. In promotion meetings, these diversity metrics are reviewed and tweaks are made based on protected traits. If you’re a junior manager you are not going to be in the room when that happens, to keep things secret.
> Try actually educating yourself instead of repeating brain dead nonsense.
lmao at the idea that any company is giving the trendy DEI heads any authority, much less hiring approval authority.
I wish DEI groups had as much power as right wingers fantasize. Maybe we'd see more under represented communities in C-suite, instead the head of DEI trots everyone out for a meeting to talk about what they want to do and then "mysteriously" leaves 8 months later when they realize "wait, I don't actually get to do anything".
Well “the state of things” is that Microsoft is the world’s most valuable company by market cap. So clearly they’re doing something right, even if they have a history of poor security going back decades - way before any kind of diversity bias was the norm.
Anyway, I read as much of the linked article as I could stomach, but I gave up at this point:
> When I began my career, I believed that the systems for determining who got a job or a promotion at a company like Microsoft at least aimed at an ideal of meritocracy
I have had these conversations with fuckhead managers in the past. How the hell can we have a meritocracy when non-cis-white-males have far less opportunity to gain the resume points necessary to compete? “Meritocracy” in this sense is, at best, nothing more than a cover for conservatism.
A historical lack of diversity obviously has a compounding effect on the skills of a population and the only way to fix that historical wrong is to promote people who would not otherwise have had that opportunity.
Instead of railing against diversity quotas, maybe instead you could think about why the fuck they are necessary in the fist place?
It’s not the job of private industry to fix the past and current mistakes of government, namely segregation, property-tax-linked school funding, redlining, urban highway construction, etc etc etc
Could it be that the biggest company in the world benefits from these policies? By acknowledging that a resume might be affected by lack of opportunity, Microsoft gets to sample from a larger pool of potential excellence.
It’s pretty simple really. Isn’t the success of Microsoft proof that diversity is actually beneficial to private industry?
I’ve come to the conclusion that “meritocracy” - when used in the context of diversity - is just another code word for “racist fuckhead”, and honestly I’m sick of hearing about it.
But the first phase will be a lot of "security & quality" presentations to the troops, some hiring and ground prep-work so the blaming can be done when things go south.
I would like to be more positive, but I already saw this cycle too many times.
How about security being part of the requirements to keep a job instead of monetary bonus? and this has to be applied to the top, only then to the bottom.