Microsoft’s secure development life-cycle is “best in class,” according to Neil MacDonald, Vice President, Distinguished Analyst and Gartner Fellow at Gartner Research, and the giant software company is now “in a tie” with open source software in terms of security.
Speaking in Sydney yesterday at Gartner’s Security Summit, MacDonald said that open source software is often reviewed by more people, more quickly, thanks to the sheer number of volunteers reviewing open source code.
But MacDonald said he believes a good software development process provides better security than a large pool of reviewers.
“It is hard for the open source software movement to respond with a tight development processes,” he told the Summit. “Over time Microsoft could make more secure code than open source if the community does not respond to the need for tighter development processes.”
So great has the improvement been in Microsoft security, MacDonald said, that open source web server infrastructure is no longer being selected for its security benefits.
“Internet Information server on Windows Server 2008 has equivalent security to Apache on Linux,” he said. Choosing between the two is “no longer a security decision. It’s now a skills decision, a cost decision or anther decision.”
But MacDonald said not all is rosy on the Microsoft security front. The company has entered the security software market aggressively, as there are few other large software markets in which it does not play. But the company’s approach is un-coordinated with different groups inside the company developing products with little regard for the activities of their colleagues. The company is also, understandably, Windows-centric which makes it hard to build an enterprise security strategy on Microsoft products. Indeed, the company does not even offer security products for Windows Mobile!
MacDonald also said that Microsoft is yet to offer adequate policies about how it will work with third-party security vendors. This lack of disclosure, MacDonald said, raises the possibility that Microsoft could be aware of a security issue in its products and adapt its own security products to fix the problem, but fail to disclose security issues to third parties. Microsoft’s security products could then come to market with fixes before rival vendors are aware a problem exists.
MacDonald did, however, say that Microsoft’s entrance to the security market represents welcome competitive pressure for users of pure-play security vendors’ products, largely thanks to the fact that Microsoft’s Forefront desktop security product is included free under some enterprise licensing deals. McDonald said Forefront is a greatly improved product and that while many organisations will not want the pain of a migration project to the tool, businesses should “use the free Microsoft tools to get better prices from other security companies” by reminding them of the opportunity to move to Forefront.