Faith-based Security
A couple of items on assumptions about Microsoft security have caught my eye in the last couple of days, and not in a good way. There seems to be a presumption, at least among some, that Microsoft is a leader in computer security. Consider this claim from Microsoft at the Forefront of Computer Security
One thing is for sure — Microsoft is not just sitting on its laurels when it comes to computer security. While Vista and Windows Server 2003 are showing themselves of be almost orders of magnitude more secure than Apple and open source operating systems,
By what measure? Where is the data to back this up? It certainly doesn't come from failed anti-virus tests or the number of vulnerabilities found in Microsoft applications and operating systems compared to others. Someone, please tell me how to support the statement that MS operating systems are "orders of magnitude more secure" than others?
I've said before I'm not a fan of any one operating system, I use Windows, Mac OS X, and a couple Linux distros. As OS agnostic as I am, I still can't buy the idea that MS OSes are more secure. Someone please clue me in on what bit of MS advanced technology I, and most users, are missing.
I wrote about the other piece that leads me to believe faith, more than reason, drives decision making about secuirty. Yesterday's post quoted a Enterprise Strategy Group report that found 3/4 of organizations are evaluating Microsoft Forefront desktop security. Again, what about Microsoft's track record would make managers so confident that they'd expend the time and rresources evaluating this tool?
I'm not sure what is driving this faith in Microsoft given its track record but here are a few possibilities:
1. Vista marketing - It is more secure than previous versions but locking down the operating system kernel, which should have been done years ago, does not make them a leader in security.
2. Microsoft is now in the desktop security market - Windows now has anti-virus along with a firewall. How good is it? OneCare was the only anti-virus program to fail the AV Comparatives test according to the BBC. (See more on Vista weaknesses at a previous post).
3. Compliance checklist mentality - This is the one I think is the real driver but that is just a gut feeling. Buying Microsoft is like buying IBM in the old days - no one ever gets fired for doing it. The reasoning is Microsoft is big, everyone uses it, it's reasonable to assume an auditor wouldn't come down on you for buying Microsoft so use it. Quality is irrelevant - it's CYA all day every day.
Personally, I find this kind of reasoning pathetic. We have problems with security and we need to solve them not stick our head in the sand or worry more about auditors than attackers.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
