Report: Large companies worried about MS security

A majority of leading security experts said that the security of Microsoft’s products is a top concern, but the company still deserves credit for its efforts to tackle the problem, according to a report released by Forrester Research.

The report, “Can Microsoft Be Secure,” surveyed 35 IT security professionals at companies with at least $1 billion in annual revenue. Respondents were asked their impressions of Microsoft’s products.

Seventy seven percent of those surveyed experienced Windows security problems in the last year and said that security was their “top concern” when deploying Windows applications, according to Forrester.

But that concern didn’t stop them from deploying critical applications on Microsoft’s platforms. A full 89% of the IT administrators surveyed said that they run sensitive applications such as financial transaction and medical records systems that rely on the Windows operating system, Forrester said.

While the security shortcomings of Microsoft’s products are frequently the stuff of news stories, the software giant deserves more credit than it is getting for its ongoing efforts to improve product security, according to Laura Koetzle, a senior analyst at Forrester.

Microsoft’s move to provide plug-ins that can detect bugs in code for Windows applications as they are being developed and its effort to educate its own developers about secure software coding practices are just two positive changes on the security front, according to Koetzle.

“Obviously nobody ever achieves perfect security, but Microsoft is doing a better job now and striving to do a better job in future,” Koetzle said.

The company still has room for improvement, however.

Microsoft must improve its patch management processes, Koetzle said.

Releasing easy-to-use tools that help users securely deploy Microsoft’s server and database software or lock down its Windows operating system would also go a long way towards making its products more secure, she said.

However, other parties have a role to play in achieving the goal of better IT security, according to the Forrester report.

IT managers must standardize Windows server configurations to make testing new patches easier, then use patch management technology to deploy those patches faster and with more consistency, Koetzle said.

In addition, independent software vendors should work more closely with Microsoft to keep up to date on critical security patches from the company that affect their applications, certifying their products on those patches soon after they are released, she said.

Microsoft responded positively to aspects of the Forrester report.

“I thought it was a very interesting report,” said Mike Nash, vice president of Microsoft’s Security Business Unit.

The Forrester report was correct in noting that Microsoft’s high profile security initiative, dubbed “Trustworthy Computing,” is an ongoing process, Nash said.

The high level of concern, registered in the report, about the security of Microsoft’s products indicates that the company must do more to communicate what it is doing to make its products secure, he said.

For its part, Microsoft must extend the benefits of technology such as the Windows Update feature to its entire product line, simplifying the process of distributing and installing software patches, Nash said.

In the end, the popular focus on the existence of product vulnerabilities is misleading, according to Koetzle.

“There will always be bugs, but the fact is that Microsoft has gotten better at finding them and mitigating them and that is a huge step in the right direction,” she said.