Windows Vista is the first software product to go with its entire development process through the Microsoft Software Development Lifecycle. Via the SDL, the Redmond company attempted to bulletproof Vista as much as possible, making it “Secure by Design, Secure by Default, Secure in Deployment and Communication.” Essentially, the SDL was set in place as a model to cut the volume of security defects associated with the design and coding process, as well as to ensure that the mitigations set in place tone down the maximum severity level of the remaining vulnerabilities. Ever since Vista hit the market, Microsoft continually applauded the platform as superior to Windows XP. The problem is of course, just how the security of Vista compares to what XP has to offer.
“Windows Vista continues to be the most secure version of Windows ever. For instance, we can know from a recent vulnerability reports comparison that Windows Vista had 50 percent fewer critical vulnerabilities than XP SP2 and far fewer critical vulnerabilities than other competing operating systems in their first respective 180 days after release,” stated Jon DeVaan, Senior Vice President of the Windows Core Operating System division at Microsoft, commenting on the Vista SP1 Beta release at the end of August. And this perspective is also shared by Microsoft’s Brandon LeBlanc, citing Jeffery R. Jones, Strategy Director in the Microsoft Security Technology Unit in the “Windows Vista Service Pack 1 Beta White Paper,” and also at the end of the past month.
“When developing Windows Vista, Microsoft set out to provide higher levels of productivity, mobility, and security, with lower costs. After more than six months of broad availability and usage, it’s evident that these investments are improving the Windows computing experience. For example, in the first six months of use, Windows Vista had fewer security issues than Windows XP (Windows Vista had only 12 issues, and Windows XP had 36). According to the Windows Vista 6-Month Vulnerability Report by Jeffery R. Jones, Windows Vista had fewer security issues than all the popular operating systems he studied,” LeBlanc stated.
Following the release of Windows Vista, Michael Howard, the Senior Security Program Manager in the Security Engineering group at Microsoft, revealed that the company’s target for Vista vs. XP scenarios over the issue of security was for the latest Windows operating system to have at least half the number of vulnerabilities compared to its predecessor. The Secure Development Lifecycle plays a vital role in this aspect, as it is the primary advantage Vista has over XP. In the “Windows Vista 6-Month Vulnerability Report” Jones indeed revealed that the volume of Vista security flaws was inferior to that of XP. Additionally, in the first seven months of 2007, Vista had just over 20 vulnerabilities with XP close to 40.
“Microsoft has stated that its software developed under the SDL process initially demonstrated a 50-percent reduction in security bulletins on its major products compared with versions of the same products developed prior to SDL; more recent Microsoft estimates claim up to an 87-percent reduction in security bulletins,” stated an excerpt from the State-of-the-Art Report from the the Information Assurance Technology Analysis Center (IATAC); and sponsored by the US Department of Defense.
The report goes on to describe the main focuses of the SDL: Requirements, Design, Implementation/Development, Verification, Release and Support and Servicing. The first stage of the SDL is to review the integration of security into the development process, then the software moves into the design phase where architects, developers, and designers contribute to the technical aspects of building the product. Only then comes the actual implementation, divided in stages of coding, testing and integration. The software then evolves into the first beta version, followed by the Release Candidate and by the release to manufacturing stage where the code is finalized.
Microsoft does offer extensive and detailed information about the SDL in the hope to standardize its practices. Still, the model is by no means universal and will not tailor fit all approaches to software development. “For the record – we make no claims about the universal applicability of SDL – it’s a constantly evolving, security-focused software development process – first, last and always. While the SDL is well suited to our work environment, we might have made different process tradeoffs in other environments. The important thing to focus on is process evolution – learning from customer pain, decisions made, and effectiveness of what you’re doing – and using that information as a catalyst for change,” stated David Ladd a Senior Security Program Manager on the Security Engineering Strategy Team.
As for the question of Vista and XP security, the truth is that only time will tell, and it is not yet the right moment to draw the line and deliver final conclusions on the matter. Still, at 6% of the operating system market, Vista is obscure enough to not have a mature and comprehensive threat environment centered on it. So in this respect, yes, Vista is indeed more secure than XP.
Microsoft, Windows Vista, Windows XP, Security, SDL