14 DAY TRIAL // Windows Vista is still an insecure operating system, even though Microsoft has thrown at it the resources of a small country, according to Symantec. The Cupertino-based antivirus company expressed little faith in the label of most secure Windows platform available to date, which Microsoft gave Windows Vista. Ollie Whitehouse, Security Response Researcher with Symantec referenced Microsoft's Secure Development Lifecycle as an integer part of the Bill Gates' vision over Trustworthy Computing, but revealed that outside of the Redmond company, software developers have an inexistent model of building secure products.
"Let's take an (obvious enough) example: we have seen significant improvements by Microsoft in terms of investment and responsiveness when dealing with security (I think even their biggest critics have to acknowledge that). Yet even today, five years since the infamous rocket (aka, management memo) from Bill Gates, Microsoft still has security issues in their most secure version of Windows yet (Vista, if you hadn't guessed); this, even after investing resources that small countries would be glad to have access to. This shows us that even the largest software vendor in the world finds it difficult to address such a complex problem, even with their huge resources," Whitehouse commented.
Drawing the line on the costs of developing Windows Vista, Gates stated that it had been the best $6 billion he ever spent. But not all software companies can afford such costs, or the possibility to lose market share, as they do not have a monopolist position similar to Microsoft's with the Windows operating system. "Part of the issue is that security is going to get a lot more complex at a technological level before it becomes easier. This is in part due to the continual and ever-increasing stream of technologies arriving," Whitehouse stated adding that "As security improves in certain areas, attackers also adapt, change their habits and move to new or emerging technologies."
James A. Whittaker, a Security Architect at Microsoft, delivered an alternative perspective over the Secure Development Lifecycle, the Redmond company's strategy to make the concepts of software development and security by default synonymous. According to Whittaker, the time will come when SDL will simply be blurred into the software development process. But in the end, even if the product is bulletproofed, the users themselves can still make it insecure. "At a time when some organizations still run Windows NT 3.51 (when was the last security patch for that released?) and many consumers still run Windows 95/98, we have to accept that there is no easy answer for security just yet," Whitehouse added.