White Hat: Vista Gets High Marks For Security

But with Vista, the much-ballyhooed (and delayed) version of Windows, the company seems to finally be on the right track. Dan Kaminsky, senior researcher at DoxPara Research, says that after eight months of kicking Vista's security tires, he's convinced that Microsoft has learned from its mistakes.

"Vista's security is at a level I didn't think was possible at such a large software development house," he says. "They just get it."

Microsoft enlisted Kaminsky and other "white hat" researchers to help it uncover flaws and vulnerabilities in Vista, which will likely be attacked at least as relentlessly as past versions of Windows from the moment it's released.

The project instilled such confidence in the OS among Microsoft officials that at the Black Hat security conference in Las Vegas last week, the company invited about 3,000 security professionals to try and poke holes in the system.

"Security researchers can offer unique expertise and insight and play an important role in helping Microsoft protect its customers and improve its products," explains a Microsoft security spokesperson. "Black Hat [was] an exceptional opportunity for engaging this community. [Because] Vista is still a product in development, we look forward to any feedback we receive from security researchers and will evaluate how best to incorporate that feedback to protect customers."

That the company agreed to such an unusual unveiling is evidence of its confidence in the new OS, something Kaminsky says he noticed while working with Microsoft's security group.

"When we found a flaw, we immediately got access to whomever we needed to talk about it with," he says, adding that it wasn't simply a matter of Microsoft responding to the researchers. "We dealt with a large number of teams, and they all had lists of known vulnerabilities for us before we started; it was like having Cliffs Notes for a security audit. The teams really understood what their responsibility was in getting good code out the door."

Kaminsky says that while new Vista vulnerabilities will be inevitable, the OS marks Microsoft's best attempt yet at creating an airtight solution.

"It's clearly better than Windows XP/Service Pack 2," he says. "They've taken the opportunity with a major OS release to implement a lot of deep structural changes that will make Windows more secure. I'm not sure you can ever achieve total security, but they've really cleaned up a lot of things."