|
Take Charge of Your Own Security
Microsoft has improved security for its products in several key areas, but holes remain.
by Peter Varhol
September 2, 2005
Technology Toolbox: VB.NET, C#
In early 2001, Microsoft announced the Secure Windows Initiative, which laid out a set of activities designed to inject security into all development practices at Microsoft.
From the outside looking in, this initiative appeared to be a haphazard and uncoordinated response to a multitude of software security threats. Development teams at Microsoft "stood down" to focus on identifying and fixing security holes in existing code and writing more secure code in the future. At the same time, the company attempted to rein in its haphazard processes and become more proactive in establishing the cause of known vulnerabilities and releasing patches for them.
Four years have passed, so now is as good a time as any to see how well Microsoft has accomplished the goals it set for itself. Is the battle almost won, has it just been engaged, or is it being largely ignored beyond the rhetoric of allegiance to the concept?
Answering these questions isn't easy, but it's important not to lose sight of one crucial fact when evaluating Microsoft's security policies: You bear ultimate responsibility for your own security. So, I won't just look at how Microsoft is doing, but I'll also point out what you can do to take advantage of the security that's built into the Windows platform. In many cases, the security is actually built in but underutilized. Microsoft bears some responsibility for educating its user base, but its user base is not excused from meeting Microsoft halfway.
One reason it's difficult to evaluate Microsoft on security is that the platform extends across several major components, including the OS, the database, and development tools. But a bigger issue is determining the standard Microsoft should be held to in attempting to evaluate the efforts it has taken to be more security-conscious. All software vendors face security issues, but other vendors get much less attention than Microsoft does (see the sidebar, "How Java Compares on Security"). This might seem unfair on the surface, but a vulnerability in one of Microsoft's key products has the potential to affect far more people and can cost far more to monitor and fix.
So I hold Microsoft to a higher standard than others, but I also acknowledge actions it has taken to address its issues, even if some of those actions haven't yet borne fruit (see Table 1).
Because of its ubiquity, Windows (and Internet Explorer) gets the most negative attention on the subject of security. Hardly a week passes that you don't hear about a report of a critical security flaw or a virus attack that exploits an already known flaw.
Much of that attention comes from the sheer number of Windows installations. If a virus infects a tiny percentage of Windows systems, that can still be millions of computers. And from that perspective, it really doesn't matter whether Windows is more or less secure than other operating systems, because the impact of any flaw is correspondingly greater.
That is a tough standard to live up to, and Microsoft is attempting to do so through a regimented patch program. Microsoft schedules the release of patches every second Tuesday; occasionally there are no patches for release, and occasionally there are emergency patches, usually driven by critical security issues.
Back to top
|