Here we go again....
Again, please correct me if this recent report seems to be a bit self-serving. The jist of this report is saying, "Yeah...Vista is good...but it's not perfect....what would make it perfect is the use of some 3rd party security stuff...umm...like our 3rd party stuff". Is this really news? I completely understand that the "seat belt vendors" need to keep touting the need for better seat-belts...but when the included seat belt have gotten pretty darn good...what do they do? They write official "research". (But be careful, cause you have to say some nice things....since you do support their O/S)
Yep...they got us. Please feel free to quote me: Vista is not perfect. Microsoft never claimed it to be. What Vista is, however, is a huge step in the right direction and one that is severely reducing the amount of known attacks that were known during the development process. If you're curious about how the Security Development Lifecycle (SDLC) is working....then check out the research done by my teammate Jeff Jones and also what Mike Howard had to say about the UAC from RSA 2007, where he and Jeff did a session on Security Engineering.
Here's the bottom line..and I'll use this to answer every question or concern you may have about Windows Vista, XP SP2, driving without a seat belt, etc. It's about RISK MANAGEMENT.
Does <insert favorite security technology here> mitigate enough risk in your environment that you (not Microsoft, not 3rd party experts, but YOU) consider the remaining risk "acceptable" (or "transferable" to your insurance company)?
Here's the catch however: Your risk assessment needs to be constant and on-going...since things change....just because you were protected in the past by <insert your favorite security technology here> you may not be protected in the future, by stuff no one's heard of yet. I got news...no one can do that. What we've done is make an attempt to mitigate as much as possible against the existing threats and some we think are on the horizon. That's it. Full disclosure. Do we always get it right? No. Are we always trying to get it right? Absolutely.
It's your choice. Don't be scared into buying something you don't need, if your assessment doesn't warrant it. Buy what mitigates the risk you've identified.
(BTW, you just got the entire concept of the security profession in a single blog post)
P.S> Here's some additional "link love" given out to the Rick Claus and the IT Pro team in Canada. My podcast interview is finally posted. Funny... I talk about the UAC "experts" as well. I do like to stir the pot.