Apple is getting a lecture on its security response process from the unlikeliest of places.
In a classic flipping of the script, a Microsoft program manager who regularly serves as the public face of the software makers security response process rapped Apple for the way it handles security guidance to customers.
In a series of entries on his personal blog at Stepto.com, Microsoft program manager Stephen Toulouse called on the Cupertino, Calif.-based Apple to hire a security czar and revamp the way information is released when Mac OS X updates are shipped.
“Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe,” Toulouse declared in a reaction to what he described as the “recent trials and tribulations of Apple in the security space.”
“Heres the reality, for the next couple of years the Mac OS will experience increasing security threats and mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months,” Toulouse added.
He said Apple needs a person “steeped in security issues, true technical analysis, and can lead a good security team to get good guidance out there.”
Toulouses statements, which were posted on his own blog and reflected only his personal opinions, echoes a growing sentiment—in and outside Redmond—that Microsoft is now the standard by which other vendors are judged when it comes to dealing to security crises.
In the aftermath of the Blaster and Slammer worm attacks, Microsoft has made significant changes to the way it fesses up to security vulnerabilities and communicates with hackers in the private research community.
Toulouse said the company certainly learned from its own problems. “A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first. Weve learned the lesson of getting out there fast and providing clear prescriptive guidance,” he added.
In response to an Apple spokesman who was quoted in a BusinessWeek article as saying the company does not need a security figurehead because the entire Apple staff cares about security, Toulouse said: “Thats a little like saying the White House shouldnt have a Department of Homeland Security because, DUH, everyone in the government cares about security!”
A separate entry on Toulouses blog also takes issue with statements from Apple that the content in its security advisories are similar to those released by Microsoft.
Toulouse Picks Apart Apple
“[I] went to their most recent security update documentation. I note no mitigating factors in Apples security communication for customers to assess their risk. I note no frequently asked questions in Apples security communication to cover what an attacker could and could not do or any other information customers might ask about. I note no workarounds in Apples security communication for people who cannot immediately deploy the update,” Toulouse declared.
“I note no deployment information for enterprises in Apples security communication. I note no severity rating for any of the issues again so customers can assess their risk since updating can be disruptive sometimes. I note no file manifests in Apples security information for customers to check to make sure updates are applied properly if they wish. I note no caveats in Apples security communication in case changes made in the update cause known application compatibility issues or support issues are discovered,” he added.
“I note no free support number for trouble with updates in Apples security information in case customers need help applying the update,” Toulouse countered.
He stressed that Microsofts prepatch security alerts and subsequent security bulletins contain all that information because thats what customers demand.
When Apple was forced to re-release a security patch because of problems caused by the original update, Toulouse posted a third blog entry with another call for Apple to implement better internal security coordination and highlighted several weaknesses in the way Apple announced the patched patch.
“In the original advisory, they note that a new version is available, so thats good. But, theres no RSS feed around it. You can get an RSS feed for ALL support articles, but not just for the ones that apply to security updates. Apple does have a security announce mailing list. But it doesnt seem to cover when there are new versions available when a bug is introduced by the update,” he noted.
“One might argue that you dont need those things if you are using the built-in auto-update functionality of OS X, but I would argue back that the fact there was an update to the update might mean people turn that off to test updates before deployment because of problems like this. Oh well,” Toulouse declared.