Microsoft security "process" trumps Open Source "many eyes"

Matt Asay, an open source CNET blogger and expert I follow very regularly, posted his views about Microsoft's claims of better security over open source products. Microsoft wrote an online white paper back in October touting the benefits of Microsoft's process for creating secure products versus the open source Linux operating system.

The Viewpoint paper by Microsoft is basically positioning to try to say the Microsoft Security Development Lifecycle process is showing benefits of more secure Microsoft products. I'm sure it has, and I would certainly hope so. But where the Microsoft train jumps the rails is trying to use data sited in this paper to claim the advantages Microsoft's processes have over open source development.

Let me be the first to say that open source isn't perfect. Unix was once called the "kitchen sink" of operating systems and the open source nature of Linux has resulted in much of the same today. But from a security perspective, I believe open source has proven to be a very effective way to create secure software. First, open source software users readily report bugs, problems and improvements, especially when it comes to security. My personal experiences with open source development are that security issues are most often the first to be reported. If security problems aren't fixed pronto, the open source project will be labeled as lame by users, who will move on to the next option. Also, the openness of vulnerability disclosure means software authors are incented to fix security problems fast. If they don't respond quickly, they risk others forking the project and taking over from authors who won't keep up with the market of open source users.

But it's not realistic to expect a big software manufacture like Microsoft to behave like open source projects. A large company like that must rely on process to address big problems like the security of Microsoft products. And, the value of outsiders finding and reporting security issues in Microsoft products is invaluable. No matter how good the process, Microsoft can't conceive all of the ways customers will use and break products. Also, any company will have a common mindset about security, sort of like "group think", that needs to be challenged by how others outside Microsoft think about the problem.

It's much too early for Microsoft to claim "victory" over past security problems, and taunting Linux users won't change the realities of security issues. The Viewpoint article by Pat Edmonds has largely fallen on deaf ears. Vista has yet to really prove the benefits of Microsoft's security and development processes but that will come with time and as we see vulnerabilities, or lack of them, unfold in Microsoft products.

Regardless which side of the Microsoft vs. Linux argument you tend to fall on, I would strongly recommend taking a look at Matt's blog post.

Like this? Here are more recent posts.

Office 2007 Ribbon Menu Touches a Nerve

Upstart Live Documents eyes Office Live Workspace and Google Docs

What Google can learn from the iPhone

Search - The killer app in Vista and Office 2007

Hypervisor wins war while skirmishes continue

Visit Microsoft Subnet for more news, blogs, opinion from around the Microsoft newsletter. (Click on News/Microsoft News Alert.)

Sign up for the

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)