A majority of leading information technology security experts say the security of Microsoft products remains a top concern, but also credit the vendor for its efforts, according to a report released by Forrester Research.
The report, "Can Microsoft Be Secure?" surveyed 35 IT security professionals at companies with at least $US1 billion in annual revenue. Respondents were asked their impressions of Microsoft's products.
Some 77 per cent of those surveyed experienced Windows security problems in the last year. They said security is their "top concern" when deploying Windows applications, according to Forrester.
But that concern didn't stop them from deploying critical applications on Microsoft's platforms. Eighty-nine per cent of the IT administrators surveyed said they run sensitive applications such as financial transaction and medical records systems that rely on the Windows operating system, Forrester said.
While the security shortcomings of Microsoft's products are frequently in the headlines, the software giant deserves more credit than it gets for its ongoing efforts to improve product security, according to Laura Koetzle, a senior analyst at Forrester.
Microsoft's move to provide plug-ins that can detect bugs in code for Windows applications as they are being developed and its effort to educate its own developers about secure software coding practices are just two positive changes on the security front, according to Koetzle.
"Obviously nobody ever achieves perfect security, but Microsoft is doing a better job now and striving to do a better job in the future," Koetzle said.
The company still has room for improvement, however.
Microsoft must improve its patch management processes, Koetzle said.
Releasing easy-to-use tools that help users securely deploy Microsoft's server and database software or lock down its Windows operating system would also go a long way toward making its products more secure, she said.
However, other parties have a role to play in achieving the goal of better IT security, according to the Forrester report.
IT managers must standardise Windows server configurations to make it easier to test new patches. Then, they should use patch management technology to deploy those patches faster and with more consistency, Koetzle said.
In addition, other software developers should work more closely with Microsoft, Koetzle suggests. The third-party companies need to keep up-to-date about critical Microsoft patches that affect other vendors' applications, and certify their products for those patches promptly, she said.
Microsoft responded positively to aspects of the Forrester report.
"I thought it was a very interesting report," said Mike Nash, vice president of Microsoft's Security Business Unit. The Forrester report was correct in noting that Microsoft's high-profile security initiative, dubbed "Trustworthy Computing", is an ongoing process, Nash said.
Nash also acknowledged IT managers' ongoing high concern, noted in the report, about the security of Microsoft's products. That means Microsoft should communicate more about what it is doing to make its products secure, he said.
Microsoft must simplify the process of distributing and installing software patches, Nash said. For example, the company must extend the benefits of technology like the Windows Update feature, which automatically downloads patches and updates, to its entire product line, he added.
In the end, the popular focus on the existence of product vulnerabilities is misleading, according to Koetzle.
"There will always be bugs, but the fact is that Microsoft has gotten better at finding them and mitigating them, and that is a huge step in the right direction," she said.