That doesn't seem to be accurate. [0] [1] Microsoft consistently does mistakes that put its customers at risk, like being unable to secure their development environment so that when encryption keys leak in a badly sanitized dump into the dev environment they are almost immediately misused by other state actors against the US federal agencies. [2] How can you trust anything that comes out of the development if you cannot be reasonably sure about the security of it? And we cant really trust Microsoft reports either because of "Inaccurate public statements" (euphemism for lying). [0]
And if you argue with Andres Freund and the XZ discovery recently, he is really a Citus guy. Yes, that is now part of Microsoft but I guess you get my point of him not being directly hired by Microsoft AFAIK.
Microsoft as an organization could and should really do a lot more for security and privacy than they do. But first the culture would need to be that there actually is a lot of low hanging fruit instead of searching for excuses. [3] For instance, Windows Updates could be more reliable, predictable in how long they run and much faster overall. Windows could detect and stop ransomware much better. Microsoft could make Windows Server Core cheaper and have a separate more expensive license for the "full fat" Windows Server with desktop services. That would put some pressure on organizations to do the right thing and reduce the attack surface area.
And if you argue with Andres Freund and the XZ discovery recently, he is really a Citus guy. Yes, that is now part of Microsoft but I guess you get my point of him not being directly hired by Microsoft AFAIK.
Microsoft as an organization could and should really do a lot more for security and privacy than they do. But first the culture would need to be that there actually is a lot of low hanging fruit instead of searching for excuses. [3] For instance, Windows Updates could be more reliable, predictable in how long they run and much faster overall. Windows could detect and stop ransomware much better. Microsoft could make Windows Server Core cheaper and have a separate more expensive license for the "full fat" Windows Server with desktop services. That would put some pressure on organizations to do the right thing and reduce the attack surface area.
[0] https://arstechnica.com/information-technology/2024/04/micro... [1] https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-a... [2] https://msrc.microsoft.com/blog/2023/09/results-of-major-tec... [3] https://blog.royalsloth.eu/posts/it-takes-a-phd-to-develop-t...