By its own measure, Microsoft is getting better at responding to vulnerabilities. In a report released in advance of this week's annual Black Hat security conference, Microsoft showed that it's not only getting faster patches and workarounds out to users, but also beating hackers' release of exploits.

According to the Microsoft Security Response Center, only 17 of the 138 vulnerabilities it addressed between October 2008 and April 2009 have publicly available exploit code. The Microsoft Active Protections Program is making tremendous headway in the effort by working with security and software partners to identify security vulnerabilities, reverse-engineer the problem and produce a patch. The time it takes to do this has been reduced from 6 hours to 2.

While this week Microsoft released an out-of-band patch to correct an ActiveX vulnerability, it's only the ninth time in the Patch Tuesday era that Microsoft has gone outside the scheduled release cycle. This is a vast improvement over the days when Windows 2000 ruled the desktop and NT was the server platform of choice. Back then, vulnerabilities and configuration errors were a weekly, if not daily, occurrence. Consequently, the patch release process was chaotic for Microsoft and the users who needed to fix their systems.

At this week's Black Hat security conference, Microsoft formally unveiled Project Quant, a new methodology and tool for calculating the cost of evaluating and deploying patches. Developed by security analyst firm Securosis, Project Quant provides a 10-step process for evaluating, testing, planning deployments, rolling out patches and measuring effectiveness.

Securosis' Rich Mogull says this is a community effort that will evolve with the input of security practitioners and professionals. “We really do consider this a 1.0 version of the model, and expect it to change as we get additional feedback and continue to explore the model with additional surveys, focused interviews and other research. Please drop us any feedback here or in the forums,” he writes in his blog.

This is not the first attempt at providing models for patching or metrics for measuring costs and effectiveness. Security maven Pete Lindstrom at Spire Security has produced copious models for assessing vulnerabilities and prioritizing patch deployments. While Lindstrom is sometimes criticized for the complexity of his methodologies, they do provide a good, adaptable baseline for users.

What Project Quant and MSPP demonstrate is Microsoft's continued commitment to improving security. There was a time when taking security advice from Microsoft was laughable. The effort and progress Microsoft has made since the inception of Trustworthy Computing in 2002 is laudable. The methodologies, tools and resources can only help solution providers and their end users improve security and the response to new threats.