Comments from Gartner about Microsoft’s Security Work

I just read this very interesting article in Information Week about the recent Cisco ‘issue’ at Blackhat.

What caught my eye is a comment from John Pescatore, a senior security researcher at Gartner. Emphasis is mine…

Microsoft, said Pescatore, has set the security bar with its predictable patch release schedule, security advisories that tell administrators why they need to patch (or why they don’t), and early warnings about potential problems before a patch is available.

“But Microsoft was driven to do that,” noted Pescatore. “Microsoft learned the hard way four years ago, with Code Red and Nimda.”

Will the Black Hat brouhaha convince Cisco to follow Microsoft’s lead? Pescatore says don’t count on it.

“It’s really expensive to do things like Microsoft’s doing them. And it took huge events to get Microsoft to change,” said Pescatore. “Cisco can say ‘we’ve never had such a thing happen.'”

Not that that makes it right.

Microsoft’s method has really turned into the exception,” concluded Pescatore, “but their way is the way everyone will eventually have to go. Customers will demand it.”

I agree with John’s comments, but I especially concur with the last sentence. Software and hardware folks need to start taking this security stuff seriously. And I don’t mean believing the “many eyeballs” fallacy is true. It’s not true. Folks need to start changing their development processes, that’s what we’re doing here at Microsoft, and that’s why we’re seeing positive results.

Comments (6)

  1. Michael,

    Great post. I saw this as well and thought: finally, something positive about Microsoft from Gartner regarding security.

    Security First is the only way to go. Security is a process and requires constant improvement.

    I don’t know your role there, but congrats to you and all at Microsoft that are making a difference.


    p.s. "follow Microsoft’s Lead" is another quote from the article that is notable.

  2. Steven Lai, CISSP says:

    The Microsoft results (problems reported after from product release in the last two years) shows your security changes in your developement processes work. Sadly, CISCO appears to be trying to hide security problems.

    Software security is a long continuous journey.

    I enjoyed your webcast on threat modeling.

  3. Graham says:

    Meanwhile, away from the marketing crap you seem to come out with, eEye pwns IE yet again:

    And I guess spyware and ID thieves won’t be exploiting these vulnerabilities, oh no, only moral people like eEye will be able to find them…

    Why not work on fixes instead of press releases?