I still remember how painful it was to ship anything, waiting in queue for security team signoff. Good to see it payoff though. Good on Microsoft - making secure products and smarter engineers in the process.

"Happy that is finally being acknowledged on the outside."

Not to mention by a reputable security company in the business (we all know there's some sources whom are... biased... to put it nicely). Congrats to Microsoft, glad to see they've put security so highly on their priority list. Not to mention the involvement they try to get with hackers, and worldwide trying to stop spam botnets, etc... Very nice to see a corporation working like that.

I think it's actually "who" in this case: the pronoun is the subject of "are biased."

Their Secure Development Lifecycle guide can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?display... .

I agree with this comment from my time working there. Microsoft engineered their way to this level of success.

What can we trace this security priority initiative of Microsoft back to?

Jan 15, 2002 email from Bill Gates to all MSFT staff [1]. Includes some real gems, like;

>So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

1.http://www.wired.com/techbiz/media/news/2002/01/49826

I was hugely impressed by Bill when I read that memo, I checked with my friends who worked there to see if it was 'real' or a PR stunt, and they universally agreed it was very very real.

I suspect Google is about to be tested in this way given the adoption of Android on mobile devices. It is fortunate that they have a strong security culture to begin with but nothing proves that like being battle tested.

Google isn't the first company that would come to my mind. I'd rather go for Apple. Their mobile ecosystem might be a lot more secure than Android's, but the way they acknowledge OSX vulnerabilities and how soon they fix them is a weak spot.

Oracle with Java could also get a lot of heat.

Apple regularly loses security shootouts, and is widely derided by security people. Their only advantages are their niche status (which they are losing) and their lack of consideration towards old apps (they can dump old APIs which are hard to secure, and make other backwards-incompatible fixes, because they just don't care that much about backwards compatibility).

Apple isn't a niche player in mobile. Wether you like Apple's App Store or not, in terms of security it's a raging success.

The other big advantage on mobile is a closed ecosystem and mandatory sandboxing.

This is a rather biased view. Maybe check that top ten list again.

The one that Apple holds two positions in for arbitrary code execution vulnerabilities?

> Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services.

Spot on. 2002.

Good for him. This doesn't seem to be the attitude of many in the startup scene. It isn't the attitude of all too many app developers. It also doesn't seem to be the highest priority at Apple.

it was a response to the very real threat of Linux. MS was getting publicly beaten on an almost monthly basis by malware authors. It was a whack-a-mole contest to keep our boxes patched. I still scratch my head and wonder why our bosses have kept demanding Windows Windows Windows...

The "Summer of Worms", after Slammer, Blaster, and Welchia owned up some huge fraction of every Windows machine connected to the Internet, including large portions of the DoD. Microsoft's software security was repeatedly on the front page of CNN and the subject of Congressional hearings.

Now I wish Adobe would do the same thing.

They very much are, and have been, for awhile.

Remember this? http://www.gizmodo.com.au/2012/05/adobes-photoshop-security-...

They left Photo CS 5.5 users twisting in the wind, recommending customers pay to upgrade their one-year-old software to CS 6.

I don't know if it was the external pressure or a slow in-house process, but it took them a month to release a fix for CS 5.5 users: http://www.adobe.com/support/security/bulletins/apsb12-11.ht...

If you wanted to put Microsoft under a microscope from 2003-2010, during the time where they were actually putting in the work to transition from a 1990's software security practice to a 201x security practice, you'd find plenty of "smoking guns" to win arguments with on message boards.

So you're implying what were witnessing at the moment is Adobe improving as steadily and quickly as it can?

Why do I find that hard to believe. Oh right, because I've launched and used Adobe software in my life.

TL;DR: you probably won't notice unless you are looking for bugs in their products, and trying to write exploits.

You will certainly not notice any improvement in their "creative" apps.

But these do not really form a part of most people's "internet attack surface". The priorities are Reader and Flash. Perhaps AIR.

Adobe Reader X is a lot more secure than Reader 9 was. The bugs are still there - many Reader 9 bugs affect X. However, exploitation is much harder, and I haven't seen anyone get reliable code execution in X yet.

They are supposed to be working hard on Flash too, although I haven't looked at that recently. I remain unconvinced that Flash is actually fixable, but perhaps they could win with strong enough sandboxing and exploit mitigation...

This is exactly what Slashdot commenters said about Microsoft software in 2007.

That doesn't apply until they start actually releasing out of band updates for very, very nasty flash/reader vulnerabilities.

[citation desired]

A good person to follow here is Brad Arkin.