Panelists: Microsoft Takes Too Much Heat For Security


Microsoft gets something of a bum rap when it comes to security, solution provider executives said at the CRN Security Roundtable.

The software giant is routinely criticized for its security problems, but other vendors have their share of security issues as well, they noted.

"Every application and OS vendor has a huge amount of problems. Microsoft is one of the only ones that's stepping up and saying, 'We're actually putting a program in place to do [security,' and is the only vendor who's saying, 'We're going to train all of our developers in secure programming techniques,' " said Chris Wysopal, director of research and development at @Stake. "I haven't seen any other vendor step up and do that."

In a memo to employees early this year, Microsoft Chairman and Chief Software Architect Bill Gates said the company aims to bolster the security of all its products. However, it will be a while before the results of that effort emerge, Wysopal said.

"It takes a whole product life cycle, from design and implementation, and then the proper testing," he said. "It's going to take a couple years."

Microsoft is taking security very seriously, but the complexity of the overall networking environment will slow down its security initiative, according to Dan McCall, executive vice president at Guardent. "In the short term, it's just too difficult to get a holistic view around the whole thing," he said. "There are too many applications that are interacting and too many networking devices that are in play. I don't see, at least from our perspective of security, the complexity going down. I actually see it increasing."

Microsoft gets a lot of attention because many people want to break into its software, yet other vendors, such as Oracle, also have plenty of security problems, McCall said.

"Oracle has said it's bulletproof. To me, that was kind of silly because that just put a bull's-eye on it," he said. "It has big, complex software, and I guarantee there are big, ugly bugs in every major software platform that's out there."

Though some industry executives argue that open-source software is more secure, Wysopal said a vulnerability search that he ran showed that RedHat Linux had more vulnerabilities over the last two and a half years than Microsoft.

Kenneth Cavanagh, vice president of professional services at Vigilinx, said the industry can't expect bellwether companies like Microsoft and Intel to provide complete security.

"Every app and every operating system can be made more secure or less secure. Expecting a vendor at the chip, application or operating system level to provide complete, robust security is a fallacy."