Most of you already know that in this age of the Secure Computing Initiative (aka Secure Development Lifecycle) at Microsoft that we actually have made tremendous strides in providing not only more secure software but more robust software as well. Of course, whenever you make a platform change, as we did with Vista, you’re going to run into driver and application platform issues that give the OS the appearance of “bugginess”, but most of you are technical enough to appreciate that driver issues are not a sign of inherent OS problems but rather an indicator of OEM/ISV development weaknesses on one level or another (funny, you seldom hear about driver issues with OSS, but they’re not immune). In fact, as I’ve toured the country doing live presentations to partners audiences for TS2 over the last 3 years (since Vista), I’ve routinely found that the vast majority of partners were happy with Vista – of course, some had customers with legacy hardware or software issues, but outside of those issues, there was was overwhelming support for Vista from a partner perspective. The trade press, however, fostered a negative perception about Vista that’s all too well known at this point, usually relying on anecdotal and unsupported evidence, which of course has been the subject of many blogs on my part over the last few years. But what’s really interesting to me is how little the trade press seems to focus on other software vendors who continue to put out vulnerable software that’s developed using the same old dev paradigms that they’ve used since the previous millenium — no SDL for them, and the results are not at all surprising, other than, as I said, the lack of attention around this they seem to enjoy (especially our fruit-branded friends). If you’ve read my posts for some time now you’ll know that the headline “Vista hacked” from a past PWN2OWN contest was actually the result of an Adobe software exploit. And you also know that the Apple platform, and browser, only gives the appearance of security (by obscurity, or lack of value due to small market share), and is always the easiest to hack and first to fall in these hacking contests. Yet, have you ever heard the trade press take Apple or Adobe (as major examples) to task for not doing something like Microsoft’s SDL to improve their dev practices? So it’s interesting to me, and worthy of a post, when I come across an article like this one that at least highlights the situation. I recommend this article on ZDNet, 10 Most Vulnerable Software Apps of 2009 [ZDNet]. Interestingly, this is one of the few times I actually found some of the comments worth a read as well. (Usually the comments are a complete waste of time IMHO, since the vast majority of them seem to be done by uninformed, but highly opinionated, “fanboys” of one ilk or another – and this one has those, but it also includes some that are actually worthwhile.) One comment (#30 “Where have you been lately?”), does a good summary of the promise of the SDL without naming it specifically. Of course, the response to him (#31) was the typical uninformed fanboy type. The main reason I’m recommending this is to highlight that the vendors I called out above are still leading the pack in producing software that’s not as robust as it could be – no, it’s not to point out that there’s no Microsoft app in the list <smile>, but I’m guessing you’ll notice that anyway. Of course, no software will likely ever be bug-free, so my point here isn’t to cast aspersions on them because of a few vulnerabilities, but rather to point out that where Microsoft has changed their dev paradigm and is actually on an obvious course to more robust software out-of-the-box, the other vendors, for whatever their reasons, are not seeming to feel the need to modernize their dev efforts, thus, my point is, that I’ve made many times before, is that you should be talking to your customers about the strategic implications of this in helping them plan their IT strategies and deployments. Actually I did some research on this article and discovered something called the X-Force Threat Reports that I wanted to point out in case you weren’t aware either. One of the commenters referenced the X-Force 2008 Annual Trend and Risk report, which is a little dated now, but I may check back for their 2009 version in the near future. And, in that vein, don’t forget that Microsoft publishes their Microsoft Security Intelligence Report semi-annually (the last one was published in Nov for the Jan-Jun 2009 time frame) – I highly recommend you download and read the Findings Summary (if you don’t want to wade thru the entire report). For instance, it really shows how much less vulnerable Vista is than XP (this period was prior to Win7 launch), and that Trojans are now the primary threat in the US. And you should also check out the Exploit Trends – Browser-Based Exploits section (pages 9-11) for a very interesting look at how moving to Vista significantly reduces browser vulnerability – check out this excerpt: “Microsoft software accounted for 6 of the top 10 browser-based vulnerabilities attacked on computers running Windows XP in 1H09, compared to only 1 on computers running Windows Vista. The vulnerabilities are referenced below by the relevant CVSS bulletin number or by Microsoft Security Bulletin number as appropriate.” Armed with that knowledge, I’m hoping you can make a strong case for the security benefits of Vista/Win7 over XP in those customer IT conversations I referenced above.
Bottom line, which comes as no surprise to my readers, is that, thanks to SDL, the Microsoft platform (and software) while certainly not perfect is nonetheless on a trend toward safer and more robust computing than any of the other platform or major software vendor and this is a message I hope you’re already sharing with your customers. As this becomes more well-known and obvious, I’m hoping that many of you will be able to help your customers overcome some of the legacy attitudes (don’t do “dot zero” or “always wait for SP1”) that are keeping them from adopting “modern” technology that will in fact work better and will produce ROI for their IT investment. Not to mention, help you help them with more advanced remote and management capabilities and just plain more robust software.