Computerworld - Microsoft Corp., long at the receiving end of widespread user criticism for buggy products, last week received a rare pat on the back for its security efforts from the SANS Institute.
SANS, a research organization for systems administrators and security managers in Bethesda, Md., gave Microsoft awards for demonstrating leadership in three security categories at the Fifth National Information Assurance Leadership Conference in San Diego.
The company won awards for leadership in providing automated security updates; providing security training for software developers; and providing testing software for security vulnerabilities.
Microsoft's award in the automated updates category -- which it shared with Linux supplier Red Hat Inc. -- was in recognition of the automated patching service for Windows XP and Windows 2000 Service Pack 3 and above. Microsoft's security training program for software developers earned the company its second award, while its extensive automation of its software testing process snagged the third one.
The awards were based on criteria and feedback from security administrators at 15 large institutions that SANS works with on a daily basis, said Alan Paller, director of research at SANS. Many of those who participated in the decision process were administrators working in organizations with more than 10,000 systems, Paller said.
"The idea of illuminating vendors who are doing things that are industry-leading grew out of a series of meetings with users who were complaining about vendors making security hard [to implement]," Paller said.
Word of Microsoft's awards was greeted with mixed feelings.
" 'Microsoft' and 'security' in the same sentence is usually a joke," said Matt Kesner, chief technology officer at Fenwick & West LLP, a Mountain View, Calif.-based law firm. "I give them a lot of credit for making security a higher priority, but I would like to see a lot better fundamental design from them before I start handing out any awards," Kesner said.
"I think Microsoft has made great strides in security," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas. "They are ahead of some of the Unixes and at least on par with some others, [but] they still have a long way to go," he said.
The awards demonstrate the importance of looking at factors other than just total bug count when evaluating a vendor's security practices, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.
"Counting the number of identified vulnerabilities alone is completely without merit," Lindstrom said. It's also important to gather information on factors such as a vendor's training practices,development processes and bug tracking methods, he said.
"Sometimes," Lindstrom said, "Microsoft gets a bum rap just because they are who they are."
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
