This series, and my blog, have moved! Check it out!
Not all application security programs are the same, and not all security needs are equal. As many of you know, I am leaving Microsoft this week, and I'm going to talk about them a bit in this article because they are probably the best example on the planet of special security requirements and situations.
Think about this: Not only does Microsoft make the most popular consumer operating system on the planet (Windows), they also make the second most popular cloud (Azure), the most popular programming IDE (Visual Studio Code), one of the most popular programming languages/frameworks (.Net), the most popular office suite (Microsoft Office), and so, so much more. It wasn't until I worked there that I realized just how many things depend on Microsoft. It's staggering. I tried to threat model the idea of Microsoft going out of business (I'm a blast at team meetings) and I think the world would not be able to recover, because their systems are used to support so many other systems on this planet that are critical. We would literally shut down.
What this means is that Microsoft has very special security needs. Their operating system, cloud and other products that we depend on must be secure. They must go far beyond the average company in their efforts to ensure this, and they do. I have seen this first-hand; I was lucky enough to work with the amazing human beings that create and maintain these systems for two years. I was repeatedly floored by just how incredible the people were who I was so privileged to work with.
But the average company is not Microsoft. Which means they don't need to take the same precautions. As a second example, let's take "Alice's Flowers".