Microsoft a leader …

Microsoft Co. Ltd.
Image via Wikipedia

in security?

Talk about a turnaround. It’s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world’s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.

Haters will always continue hating, but the technical press is giving a lot of favorable coverage to Microsoft’s successful efforts to make itself a computer software security leader.

It isn’t just press talk alone. Every common security and vulnerability metric shows Microsoft’s software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling, going from dozens of exploits a year to barely a handful over five years.

Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.

Sure, Microsoft still has its share of critics, and it has a long way to go before it is done, but it’s hard to argue that the company has not made significant progress.

The reason for the turnaround?

Although there are many factors to its success, including better patching, host-based firewalls, and increased responsible disclosure, the lion’s share of the success belongs to its dedication to Security Development Lifecycle (SDL) processes. Microsoft is being touted more and more frequently, even by people who otherwise would claim to hate Microsoft, as a programming security model to follow.

And those documents and tools are free!

But the best part is that most of the tools and thousands of pages of information that Microsoft used to turn itself around are freely available to anyone. They can be used by you and your company to create more secure software. You don’t have to reinvent the wheel or discover the secrets of secure coding on your own. Microsoft is pretty far along in the maturity of their SDL model, and you can benefit from the policies, standards, and procedures it has developed. Instead of guarding this know-how as a secret competitive selling point, Microsoft is inviting everyone to participate. After all, a stronger, more secure computing ecosystem benefits everyone. (Source: Pigs fly! Microsoft leads in security)

Now after you’ve overcome the shock of Microsoft being a security leader, go to the SDL resources page.

Reblog this post [with Zemanta]

About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on June 22, 2009, in Cybersecurity, Microsoft, Security, Security tips and tagged , , , , , , , . Bookmark the permalink. Comments Off on Microsoft a leader ….

Comments are closed.

%d bloggers like this: