This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Vista introduces some notable improvements. One much anticipated feature in the OS is the least privileged user account, which makes it possible for IT shops to prevent users from downloading harmful software or changing settings unless they have an administrative password. There is also hardware-based volume encryption for PCs called Bitlocker, and antispyware technology acquired from Giant Software. Vista also has provisions for using smart cards, like InfoCard, to log in.
Internet Explorer 7.0 will have built-in heuristics and support for high-assurance certificates for safer browsing and improved blocking of phishing attempts.
Customers will have to wait for Longhorn to get Network Access Protection, a feature that quarantines PCs found to have inadequate patch protection as they try to access a network. The server version will also include the Internet Information Server 7.0 upgrade.
Though Vista and Longhorn are the first platforms to get the full SDL treatment, others have benefited from TwC. Windows XP SP2, released in summer of 2004, was billed as a service pack but had so many changes to the desktop OS regarding security that it was considered by many to be an entirely new version of the software.
"We've seen benefits with XP SP2 and SQL Server 2005," says Neil Macehiter, a partner at Macehiter Ward-Dutton, a U.K.-based consulting firm. "The vulnerabilities are far less than they've been historically."
The numbers seem to agree. After
"They're good numbers, but not good enough," Charney acknowledges.
What's important about Microsoft pro-ducts coming to market is that they've all been though SDL. Charney says he knows Microsoft will never reduce the number of vulnerabilities to zero, but aims "to get to the point where the level of risk in the IT world is akin to risk of what we are used to managing in the physical world."
This was first published in May 2006