This past week I had a chance to attend a Microsoft Security Summit in Manhattan. Check the schedule of these summits for dates when they are coming to your city. I strongly recommend attending one.
I could argue that Microsoft stepped up its efforts to deliver more secure products, that they had fewer vulnerabilities than other OS vendors, that they had the highest rate of closed vulnerabilities and so forth. These are facts. I'll leave this judgment up to you. One thing I know for sure—they put a ton more emphasis on security these days.
Security has become somewhat of a nebulous term. It's such a multifaceted issue that there are no 10 easy steps to achieve complete application security, or 5 quick steps to ensure your applications become impregnable. We're not in the weight loss business. It doesn't work this way.
Security is about attitude. I'll say this again: security is about attitude. It required a somewhat philosophic mindset to evaluate threats and possible angles of attack. It doesn't matter how secure a large piece of software is if one and only one piece is vulnerable. Attackers go for the weakest link.
So what's the secret recipe for the security sauce? Is there one? Yes, there is. The key ingredient is awareness. Awareness among users to not install every ActiveX popup they see or run email attachments. Awareness among developers to never trust user input. User input is evil until proven otherwise. Funny enough, I was trying to get this point across at my previous job, but nobody bothered. More than 50% (!) of all bugs we had came from not validating user input. This oversight eventually lead to corruption of our database. This awareness comes in many shapes and flavors.
Security is experience against experience. It's the experience pool of your developers against that of malefactors. It doesn't matter if it's one intruder against ten developers or vice versa. The more experienced one wins.
The summits are conducted in three "tracks"—two IT Professional tracks, and one Developer track. The developer track was great, although I expected to see more code and less talk about obvious issues.
It was funny how the Symantec's CEO (?) made a scary face in during their trailer and quoted the number of network intrusions and virus attacks as if he was telling a tale about a boogie man.
I was also in for a surprise when an executive from Computer Associates commended the school I attended for some time, Brigham Young University, for their efforts in securing their IT infrastructure (see this Success With CA PDF).
As is pretty much always the case with Microsoft gatherings of this kind, you won't walk away with empty hands. You will receive a TechNet CD with security guidance, a CD with security webcasts, and the latest and greatest of Windows Software Update Services.
