Microsoft a leader …
Talk about a turnaround. It’s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world’s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.
Haters will always continue hating, but the technical press is giving a lot of favorable coverage to Microsoft’s successful efforts to make itself a computer software security leader.
It isn’t just press talk alone. Every common security and vulnerability metric shows Microsoft’s software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling, going from dozens of exploits a year to barely a handful over five years.
Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.
Sure, Microsoft still has its share of critics, and it has a long way to go before it is done, but it’s hard to argue that the company has not made significant progress.
The reason for the turnaround?
Although there are many factors to its success, including better patching, host-based firewalls, and increased responsible disclosure, the lion’s share of the success belongs to its dedication to Security Development Lifecycle (SDL) processes. Microsoft is being touted more and more frequently, even by people who otherwise would claim to hate Microsoft, as a programming security model to follow.
And those documents and tools are free!
But the best part is that most of the tools and thousands of pages of information that Microsoft used to turn itself around are freely available to anyone. They can be used by you and your company to create more secure software. You don’t have to reinvent the wheel or discover the secrets of secure coding on your own. Microsoft is pretty far along in the maturity of their SDL model, and you can benefit from the policies, standards, and procedures it has developed. Instead of guarding this know-how as a secret competitive selling point, Microsoft is inviting everyone to participate. After all, a stronger, more secure computing ecosystem benefits everyone. (Source: Pigs fly! Microsoft leads in security)
Now after you’ve overcome the shock of Microsoft being a security leader, go to the SDL resources page.
Related articles by Zemanta
- Microsoft issues patches, including one for IE exploit (thaibrother.com)
- Microsoft takes scissors to Srizbi (theregister.co.uk)
- What Will Antivirus Vendors Do When Microsoft Offers Their Antivirus for Free? (profy.com)
- Unsafe at any speed: Memcpy() banished in Redmond (theregister.co.uk)
Posted on June 22, 2009, in Cybersecurity, Microsoft, Security, Security tips and tagged Computer security, Internet Information Services, Microsoft, Patch Tuesday, Security, Security Development Lifecycle, vulnerability, Windows. Bookmark the permalink. Comments Off on Microsoft a leader ….