Windows Development Model
Microsoft Windows is a commercial operating system developed by a company the size of a country. The vision for the OS is created at the top and pushed down to all parts of the organization. Further, this vision goes beyond the operating system; supporting administrative tools, common userland applications, and even productivity software are all developed in an integrated and coherent fashion. The core parts of the operating system share architectural design elements with software throughout the Microsoft product offering. For instance, the cryptographic service provider is leveraged by nearly every Microsoft product that needs cryptographic capability. Also, authentication information is shared throughout the levels of the OS and can be accessed in a uniform fashion by applications (see Figure 1).
Figure 1 Microsoft controls development of everything from the core kernel to server applications.
From a security perspective, not only is security functionality able to be accessed and architected in a common way, but Microsoft also controls the patching process. This is a critical part of operational security. Microsoft controls all patches for their operating system, server software, and productivity applications. Also, they are now releasing all their patches on a regular schedule (the second Tuesday of every month). This setup allows administrators to prepare to test and deploy security patches in a coherent manner. By not having ad hoc patching, Microsoft allows enterprises to plan security upgrades in advance and ultimately probably reduce downtime.
Finally, Microsoft controls the long-term security planning for the primary operating systems and all supporting applications. They have a long-term product roadmap that includes security enhancements and functionality. While a product roadmap doesn't necessarily mean a more secure system, Microsoft has a robust developer network. By having a product roadmap with prerelease software available to developers, it increases the likelihood that developers will be aware of new security functionality and use it properly. Further, Microsoft's developer tools natively support Windows security functionality.