A new poll finds that seventy-seven percent of security professionals believe Microsoft products are insecure. But a closer look at the survey tells a far more interesting story.
Seventy-seven percent of the hard hitters think Microsoft software is insecure, but don't care and deploy it anyway.
Though many of the news rags picked up the analysis, with cursory coverage of the paper, I think it deserves a bit more examination.
For starters, 89% of those security experts went on to say that they deploy critical applications and services on Windows operating systems, despite their supposed security concerns.
Why would someone deploy sensitive application on a platform that they think is insecure? My initial take is that even when it comes to multi-billion dollar businesses, these people just don't care about security -- not to the point where they'll actually do anything about it, anyway.
It all comes down to perception. For instance, the research paper quotes a pharmaceutical company representative as saying "You can't put the words 'Microsoft' and 'security' in the same sentence without laughing. Microsoft is features-oriented, not security-oriented. Security is simply not part of Microsoft's culture or its architecture."
Statements like this really chap my hide, because they are simply ignorant. Microsoft operating systems and software can most definitely be secured; the architecture and structure is there. But somehow the perception that they're inherently and hopelessly insecure still persists.
I think part of this perception is fueled by these companies' own actions -- or inactions, as the case may be. Of the 35 companies polled in the Forrester study, 77% also said they have experienced Windows related security incidents within the last 12 months. When asked if they had any plans to change their deployment process for Windows installations as a result of these breaches, 41% said no.
So let's see if we have this straight: Seventy-seven percent of the hard hitters think Microsoft software is insecure, but don't care and deploy it anyway. Seventy-seven percent also had a security incident within the last 12 months (big surprise there), and even so, almost half say they have no plans at all of changing the way they deploy the software.
And yet all of this is Microsoft's fault.
The real kicker is this: Of those 77% who had an incident in the last year, 60% were hit by Nimda, and 54% by Code Red (which means some got both!).
Here's the deal: These issues date back to 2001, people! It is far too late in the game to play the "Microsoft security sucks because of Code Red" card. And if you are still getting infected with Nimda, then it's your security that sucks. Yes, I know it is crass and insensitive, but the truth is like that sometimes.
Saving the Customers From Themselves
So what is the next step? How can Microsoft fight perceptions that become people's realities? I think the interpretation of the survey by Forrester researcher Laura Koetzle is right on: Microsoft must implement a crack patch management strategy that makes applying a patch as easy as installing the software in the first place.
Regardless of whose fault it is for not patching and maintaining a Windows installation, Microsoft has realized that they must take responsibility for ensuring that patches make their way from the development team to the end-user's system. Before the popular perception of Microsoft's product security can improve, the company will have to move their vulnerability-handling finish line from "the patch is available" to "the patch is installed."
While I have no sympathy for people who don't patch against Nimda and Code Red, I do feel for those who labored through the SQL patch that fixed Litchfield's UDP exploit. It was arduous. Files had to be manually copied, SQL scripts executed, and executables run against instances. The lesson for Microsoft here is that they cannot require more expertise to load a patch than they do to load the application.
To this end, I am excited about what the future of Microsoft's patch management will bring. Word on the street is that Microsoft is already at work on developing a broad strategy and an accompanying set of fully-featured tools and services to provide customers with a road map of how to best meet their patch management needs. And I think it will make all the difference. While there are many current methodologies in place to address patch management, Microsoft sees the need to compile and expand the varied functions of SUS, Windows Update, MBSA, MOM, SMS, Group Policy, etc., into a comprehensive solution that lets customers finally wrap their arms around patch management.
As a security guy, it is easy for me to be critical of those who don't bother to learn how to secure the software they use -- and then complain to pollsters about it. But Microsoft does not have that luxury. The reality is that customers must be saved from themselves, and Microsoft's realization and addressing of that fact is yet another good step in the direction of "Trustworthy Computing."