Microsoft vs. Apple Security: Who's Right?


When it comes to approaches to security, can Apple's, which clearly works for consumers, work in the enterprise? If the goal is to sell product and make people feel safe, perhaps it can. Or is Microsoft's approach superior, with its more open process? I doubt either company could adopt the other's process easily but, given that some of you will be looking at Snow Leopard in a few months, now would be a good time to, as Apple used to say, think different.


Microsoft's Disclosure Approach


Microsoft's current program appears largely based on the belief that if you disclose everything, your liability is limited. So far, it hasn't seemed to attract much liability, so that part seems to be working. The process of aggressively reporting exploits, coupled with monthly patches that are explained in enough detail to allow someone to actually take advantage of the exploit is actually consistent with the views surrounding open source, in that it appears to be very transparent. I'm using the word "appears" not to be tricky but because I've never really audited the process. However, it does look to be comprehensive.


On top of each disclosure, if Microsoft leaves anything out, Symantec (and other security firms) expands on the exposure to create the impression of vulnerabilities that sell security products. These security firms, in addition, work to identify additional problems, which they generally tell Microsoft about, and help keep this cycle of pain for users and administrators rolling.


So, in effect, it's the folks that work to find ways to penetrate Windows who are actually getting a substantial amount of funding and marketing. The end result is a constant deluge of problems, making the product look incredibly vulnerable and supporting the security industry that has grown to depend on these vulnerabilities.


Apple's Non-Disclosure Approach


Apple doesn't really talk about its exposures; it focuses its efforts on making its product appear invulnerable. It doesn't cooperate with security firms and seems to actually recommend folks don't use security products. I don't think that is because it wants users not to be secure. I think it's because it doesn't want to create the kind of upside-down ecosystem that surrounds Microsoft.


Rather than participate in things like the Black Hat conference, Apple keeps its own security folks locked away working quietly on security problems. It patches quietly, as well, trying to limit or eliminate any sustained coverage of the problems that it too clearly has.


The end result is that its product appears less vulnerable, the security firms have less incentive to promote the vulnerabilities of the product because Apple users mostly don't buy security products, and Apple users feel more secure on Apple products.


So Which Is Better?


If I'm solidly in the open source camp, then it is hard to argue that Microsoft's approach isn't better, but I'm not a coder anymore and while I've been cross trained in every function, I still think that my primary skill remains marketing. As a result, I favor, by a significant margin, the Apple method. Were I Bill Gates and had a time machine, I would go back and close the security hole that was created at the very beginning by not owning security and not outsource it to third parties. Currently, Microsoft is using One Care to get its arms around security but it can't bundle the product into Windows without getting pounded by the anti-trust folks.


This last is probably a lesson for Apple, which still needs to strengthen its own security to include more aggressive anti-virus and anti-phishing technologies before it gets a major breach and the Windows security industry embraces it to fill the gap.


So, I think Apple's approach may be better long term for that company. The question, however, is: Would enterprises that tend to be more open source and really care less about a vendor's image agree? I'd like to know what you think.