I frequently have people write to me to discuss how much Windows sucks and how great open source is. They say it as if Windows is my only security problem and Linux, Apache, and Firefox are our saviors.
I often write back that I use Windows and Linux on a daily basis -- and any of them can be secure or insecure. They then somehow take that to mean I’m a Windows zealot because I have the audacity to stand up for Microsoft every now and then.
Here’s the plain truth: Malicious mobile code has been around since before Microsoft was a company, and it will be around long after they are a historical footnote. If Microsoft disappears, that won't stop mischievous hackers from writing rogue programs.
Real security solutions aren’t as easy as replacing Windows with another alternative. Real security means persuasive authentication, loss of anonymity, less functionality, peer code review, and programmers learning security along with their first GOTO statement. End-users will have to accept that security means slower development times and more expensive products.
Yes, there are plenty of security problems to blame on Microsoft, but it’s becoming harder to find new problems to point out. Remember when Gates missed the Internet, but a year later every Microsoft product around could talk to the Internet? The same thing appears to be happening with security now.
Two years ago, Microsoft made all their programmers stop programming and get secure code training. Secure coding and bug hunting are being built in to every programming process at Microsoft, from start to finish. And the results are showing: If you look at the statistics against XP Pro, Server 2003, SQL, and IIS, exploits are way down and security is up. How else do you explain that IE had fewer exploits this year than Firefox? How is it that only two of the top five most active exploits on the Internet are Windows-based? How many years has it been since a Windows worm did as much damage as Code Red, Nimda, or Slammer?
What about Apache 2.0 vs. IIS 6? Since March 2003, Apache has had 25 announced vulnerabilities; IIS 6 has had two or three. Does that mean IIS 6 is more secure? I don’t know, but most of the difference in vulnerability levels probably comes from the fact that Apache is running on 79 percent of the Internet Web sites in the world versus IIS’ 19 percent market share. If the difference isn’t from the popularity, it has to be because Apache is weaker. Which is it?
Want a good database program without frequent security problems? Maybe Microsoft SQL is the answer. Do you remember the date of the last Microsoft SQL exploit? MySQL and Oracle are fairly worse these days, not better.
Can anyone do security better than Microsoft? I’m not sure. Mac OS X is gaining its fair share of patches on a regular basis. I may complain about Microsoft’s patch Tuesday, but trying to keep my Linux and FreeBSD systems patched is becoming even more painful.
Free software proponents often say that open source code review guarantees that open source code will be more secure. Baloney! I love to read code, too, but how many of us have the time to review tens of thousands of lines of code? Plus, the really good people are already working 80 hours a week on projects for their bosses.