A security expert that build his career on identifying vulnerabilities in Microsoft software now says that the company has come a long way. Marc Maiffret, a former hacker turned legitimate security researcher, and now chief security architect at FireEye, told InSecurity Complex that Apple’s software was inferior to Microsoft’s in terms of security and the capacity of protecting end users, despite claims to the contrary by the Cupertino-based hardware company. In fact, Maiffret put Apple on the spot for marketing its software as more secure than Microsoft products, noting that it was just marketing and nothing more.
Still, the former hacker indicated that he had witnessed Apple starting to change its ways, and care more about security. “It's even a little scarier with them because they try to market themselves as more secure than the PC, that you don't have to worry about viruses, etc. Anytime there's been a hacking contest, within a few hours someone's found a new Apple vulnerability. If they were taking it seriously, they wouldn't claim to be more secure than Microsoft because they are very much not. And the Apple community is pretty ignorant to the risks that are out there as it relates to Apple. The reason we don't see more attacks out there compared to Microsoft is because their market share isn't near what Microsoft's is,” he stated.
According to Maiffret, before Apple only recently, in the past six months, started caring more about securing its products, it was at the same level as Microsoft before the January 2002 Trustworthy Computing memo from Bill Gates. But while he slapped Apple over the wrist, Maiffret praised Microsoft not only for the progress it had done over the better part of the past decade, but also because of the Security Development Lifecycle.
“Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say,” he underlined. “[…] From an internal process in how they go about auditing their code and securing software from a technical perspective, they do have one of the best models. The area they still have room for improvement is around time lines of how long it takes for them to fix things.”
The Security Development Lifecycle is a model deployed by Microsoft internally, designed to secure software as much as possible by doing extensive testing to filter out vulnerabilities, and also ensure that when flaws do exist, mitigations are in place to make exploits extremely difficult, if not impossible. Windows Vista, the first Windows client to be produced in accordance with the best practices of the SDL, was also the company’s most secure operating system in history. Windows 7 was built on Vista’s legacy, and is bound to be just as, if not even more, secure compared with its predecessor.
In the first week of April 2010, Microsoft published the Security Development Lifecycle (SDL) Version 5 for all third-party software developers to leverage in their products.