Security has not been part of the Microsoft Windows nor application architecture in the past. This may or may not be changing, only time will separate the marketing from the reality.

Companies continue to deploy Microsoft solutions despite the risks because of the monopoly status.

Here's why:

Firstly no one wants an operating system, instead they have functional requirements.

Typically functional requirements are expressed in terms of Application functionality.

Most companies deploy 3rd party applications, yes, even the big ones.

Most development houses code for the most prevalent platform, which is Windows.

As an aside, with the advent of Enterprise Linux, this may also be changing!

So a company is faced with weighing up the following, either deploy the application-written-for-windows on windows and take the risk, or absorb the costs and risk of re-writing it for another platform.

Ideally this would form part of a Quantitative Risk Assessment in support of a Businesss Case, however I've rarely seen this exercised to that degree in practice.

Although I take your point regarding some no-brainer vulnerabilities (Code Red, Nimda), it's not as simple as "not taking security seriously", but rather as a product of a unfair Monopoly, for which Microsoft has stood accused and been convicted.

But as much as I regard you as a fully paid up member of the M$ fan club, your "light blue touch paper and stand well back" tactics are entertaining if not informative, so keep it up. ;-)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/152/19192#19192