In Microsoft's perspective, Windows Vista is the epitome of security when it comes down to comparing it with the alternative Windows operating systems available, and namely Windows XP. The Redmond company was not shy about marketing vulnerability statistics put together by Jeffery R. Jones, Security Strategy Director in the company's Trustworthy Computing group indicating that in the first six months of consumer availability Vista accounted for just 12 fixed security flaws while for XP the count was up to no less than 36. Jones' Windows Vista 6-Month vulnerability Report, and counting game additionally indicated that Microsoft's latest operating system was impacted by less vulnerabilities than rival Mac OS X Tiger and the Novell, Ubuntu and Red Hat distributions of Linux.

The Redmond company feels confident of Vista's security due to the fact that the operating system is its first software product to come out of the Secure Development Lifecycle, a development methodology designed to drastically reduce the volume of vulnerabilities from as early as the design process. Still, according to Adam Shostack, a Program Manager in Microsoft's Security Engineering group, SDL is not centered on security but on making a trade-off between the protection the end product will deliver and the potential risks left unattended. In a word... risk management.

"In the SDL, we help people and teams make more informed decisions on the trade-offs and balances associated with security decisions. There are some risks that we say are unacceptable because of their impact on customers. On behalf of those customers, we tell teams that they can't ship software unless they've taken certain steps to reduce that risk, and that there are classes of issues that they must resolve before they ship (roughly, anything that would result in an MSRC bulletin)," Shostack revealed.

In this context, the first service pack for Windows Vista, currently planned for availability in the Q1 2008 will also be built on the tools and techniques of the SDL. Jon DeVaan, Senior Vice President of the Windows Core Operating System division at Microsoft, explained that Vista SP1 will bring to the table SDL updates, removing code patterns from the operating system that have resulted in vulnerabilities since the January launch. Simply putting it, Vista will continue to be the most secure Windows operating system after the launch of SP1 in the first quarter of the coming year, with all indications pointing to a release after February.

"Knowing up front what's allowed and not allowed, teams can build it into their schedules. We keep the SDL on a twice-yearly change schedule, giving teams a chance to integrate the SDL recommendations and requirements into their planning," Shostack added. "By setting a clear and prescriptive bar for how to control risks, we've made the SDL a lot more acceptable."