Security is an Industry Problem

The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 21 August 2012

I've received enough questions in email from different people about a recent vulnerability in another browser that I wanted to post something here.

I think the best place for the facts is with the people responsible for the browser. I say this based on the number of articles I read that misrepresent issues in Windows and IE.

I also think that security is an industry-wide problem. It's not limited or unique to operating systems or applications, or client or server software. It's not limited or unique to commercial software or open source.

The only us versus them distinction I want to make around security is to put responsible software developers, security researchers, and customers together as "us" and malicious (whether it's intentionally or not) software developers, security researchers, and their customers together as "them."

Today, I see a tremendous amount of talent and intelligence applied to breaking or repurposing software. Some of that is positive and responsible. I've listened to and worked with security researchers I would describe as brilliant with no mitigating clauses. They are also responsible. They've worked with us to point out how we can build better software.

I don't know what to say or do about "them." I think some of what we can do is help legislators and law enforcement understand what's at stake in a constructive way. I want to know what else you think we can do about the malicious behavior we find on the Internet.