Comments from Gartner about Microsoft's Security Work

I just read this very interesting article in Information Week about the recent Cisco 'issue' at Blackhat.

What caught my eye is a comment from John Pescatore, a senior security researcher at Gartner. Emphasis is mine...

Microsoft, said Pescatore, has set the security bar with its predictable patch release schedule, security advisories that tell administrators why they need to patch (or why they don't), and early warnings about potential problems before a patch is available.

"But Microsoft was driven to do that," noted Pescatore. "Microsoft learned the hard way four years ago, with Code Red and Nimda."

Will the Black Hat brouhaha convince Cisco to follow Microsoft's lead? Pescatore says don't count on it.

"It's really expensive to do things like Microsoft's doing them. And it took huge events to get Microsoft to change," said Pescatore. "Cisco can say 'we've never had such a thing happen.'"

Not that that makes it right.

"Microsoft's method has really turned into the exception," concluded Pescatore, "but their way is the way everyone will eventually have to go. Customers will demand it."

I agree with John's comments, but I especially concur with the last sentence. Software and hardware folks need to start taking this security stuff seriously. And I don't mean believing the "many eyeballs" fallacy is true. It's not true. Folks need to start changing their development processes, that's what we're doing here at Microsoft, and that's why we're seeing positive results.