A majority of leading information technology (IT) security experts said that the security of Microsoft's products was a top concern, but the company still deserved credit for its efforts to tackle the security problem, according to a report released by Forrester Research.
The report, Can Microsoft Be Secure, surveyed 35 IT security professionals at companies with at least $US1 billion in annual revenue. Respondents were asked their impressions of Microsoft's products.
Seventy seven per cent of those surveyed experienced Windows security problems in the last year and said that security was their "top concern" when deploying Windows applications, Forrester said.
But that concern didn't stop them from deploying critical applications on Microsoft's platforms. Eighty nine per cent of the IT administrators surveyed said that they ran sensitive applications such as financial transaction and medical records systems that relied on the Windows operating system.
While the security shortcomings of Microsoft's products were frequently the stuff of news stories, the company deserved more credit than it is getting for its ongoing efforts to improve product security, according to a senior analyst at Forrester, Laura Koetzle.
Microsoft's move to provide plug-ins that could detect bugs in code for Windows applications as they were being developed and its effort to educate its own developers about secure software coding practices were just two positive changes on the security front, Koetzle said.
"Obviously nobody ever achieves perfect security, but Microsoft is doing a better job now and striving to do a better job in future," she said.
However, the company still had room for improvement.
Microsoft must improve its patch management processes, Koetzle said.
Releasing easy-to-use tools that helprf users securely deploy Microsoft's server and database software or lock down its Windows operating system would also go a long way towards making its products more secure, she said.
However, other parties had a role to play in achieving the goal of better IT security, according to the Forrester report.
IT managers must standardise Windows server configurations to make testing new patches easier, then use patch management technology to deploy those patches faster and with more consistency, Koetzle said.
In addition, independent software vendors should work more closely with Microsoft to keep up to date on critical security patches from the company that affected their applications, certifying their products on those patches soon after they were released, she said.
Microsoft responded positively to aspects of the Forrester report.
"I thought it was a very interesting report," vice-president of Microsoft's Security Business Unit, Mike Nash, said.
The Forrester report was correct in noting that Microsoft's high profile security initiative, dubbed Trustworthy Computing, was an ongoing process, Nash said.
The high level of concern, registered in the report, about the security of Microsoft's products indicated that the company must do more to communicate what it was doing to make its products secure, he said.
For its part, Microsoft must extend the benefits of technology such as the Windows Update feature to its entire product line, simplifying the process of distributing and installing software patches, Nash said.
In the end, the popular focus on the existence of product vulnerabilities is misleading, Koetzle said.
"There will always be bugs, but the fact is that Microsoft has gotten better at finding them and mitigating them and that is a huge step in the right direction," she said.