Well, it's tough, right? SE and Trusted both have lots of kernel hardening features that Win7 doesn't have. And even base Linux and FreeBSD are "simpler" (until you add OpenSSH, Apache, and the NFS stack). Win7 has baggage; MSFT is still paying for the DCOM mistake.
You have to counter that, though, with the hundreds of thousands of dollars Microsoft spends on security testing every functional unit of the shipping product. It is not unpossible that they paid someone at Leviathan, iSEC, or IOActive to spend a week auditing Minesweeper (they haven't paid us to do that).
They don't just audit their code. A couple times a year, they do a little internal conference called "Blue Hat" (pace Black Hat), which, as the beauty pageant for all their consulting vendors, tends to get the best researchers from those firms as speakers. They highlight trends and findings for execs, and try to get some of the benefit of the audits spread across multiple projects.
There's also an entire layer of researchers, testers, and project managers on top of the security tests. Some of those people (like Leblanc and Howard) are actively turning the results into curricula for training, or for new code standards, or even changes in the shipping VC++ config. Other people develop automated testing tools. Still others develop better, more secure APIs.
When you think of the resources Google has, you assume that the best developers there all have access to a MapReduce cluster that will run their "hello world" test programs against the corpus of the entire Internet as of I dunno 3 weeks ago. Only Google has that resource. Microsoft has more ongoing security test results than any other company in the world --- even moreso because they had so. much. catching. up. to. do. from the late '90s. That has to be a killer resource for them.
So, we'll see. I wouldn't run a Microsoft OS as a server, for a lot of reasons. But I have more respect for the work they're doing --- and the intentionality of that work --- than I do for a lot of Unix security projects.
Everything OpenBSD did to fix NetBSD's security in the '90s, Microsoft adopted on a massive scale, and then spent tens of millions of dollars to improve.
Sorry for the long comment, I just don't want to come off like I'm sniping at you, or trying to start an OS war.
Sorry for the long comment, I just don't want to come off like I'm sniping at you, or trying to start an OS war.
Actually, the long comment is much appreciated. It's a very interesting subject for me. I wasn't trying to say that I doubted you, just that I'm no expert. :)
You have to counter that, though, with the hundreds of thousands of dollars Microsoft spends on security testing every functional unit of the shipping product. It is not unpossible that they paid someone at Leviathan, iSEC, or IOActive to spend a week auditing Minesweeper (they haven't paid us to do that).
They don't just audit their code. A couple times a year, they do a little internal conference called "Blue Hat" (pace Black Hat), which, as the beauty pageant for all their consulting vendors, tends to get the best researchers from those firms as speakers. They highlight trends and findings for execs, and try to get some of the benefit of the audits spread across multiple projects.
There's also an entire layer of researchers, testers, and project managers on top of the security tests. Some of those people (like Leblanc and Howard) are actively turning the results into curricula for training, or for new code standards, or even changes in the shipping VC++ config. Other people develop automated testing tools. Still others develop better, more secure APIs.
When you think of the resources Google has, you assume that the best developers there all have access to a MapReduce cluster that will run their "hello world" test programs against the corpus of the entire Internet as of I dunno 3 weeks ago. Only Google has that resource. Microsoft has more ongoing security test results than any other company in the world --- even moreso because they had so. much. catching. up. to. do. from the late '90s. That has to be a killer resource for them.
So, we'll see. I wouldn't run a Microsoft OS as a server, for a lot of reasons. But I have more respect for the work they're doing --- and the intentionality of that work --- than I do for a lot of Unix security projects.
Everything OpenBSD did to fix NetBSD's security in the '90s, Microsoft adopted on a massive scale, and then spent tens of millions of dollars to improve.
Sorry for the long comment, I just don't want to come off like I'm sniping at you, or trying to start an OS war.