Microsoft Needs Time to Prove It's Serious About Security

Microsoft has committed to making its products more secure and worthy of customers' trust. However, the market will judge whether this shift is a successful one.

On 15 January 2002, Microsoft's Bill Gates reportedly issued a companywide memo stating that the vendor would make security and reliability a primary concern and that it should develop software platforms and applications whose security customers feel they can trust.

The philosophy outlined in the Gates memo lays out most of the imperatives for Microsoft to change its long-established product management and development culture. Microsoft became the world's most powerful software company by building software that gave the user control. Upgrades and new software always included more features to allow the user to do more things. Product managers got promoted by shipping software on time with enough new features to compel users to upgrade. Crashes and sloppy programming that left gaping holes for hackers became problems of secondary importance. With the Internet, however, security vulnerabilities became exposed to attack from any savvy programmer on the planet. If Gates' realignment of Microsoft to the Internet in 1996 had made security a prime concern for new Internet features, enterprises would have avoided many billions of dollars of cleanup costs after the long list of viruses and worms that have struck Internet-connected servers and PCs.

Gartner believes that Microsoft is serious about making this shift because the .NET strategy will fail if it doesn't. Nevertheless, changing the management and development culture of such a large company poses a huge challenge, and it won't happen quickly. Previous Gates' memos showed results in less than a year, but the Internet and .NET visions played to Microsoft's instinctive worship of new features. Even with full commitment, Microsoft will need time to demonstrate support for a product manager who ships a safe product later or whose product takes longer for customers to adopt because it includes fewer new features to enhance safety. Gartner believes that concrete results from this new initiative will appear no earlier than 1Q03.

The new vision outlined by Gates lacks a focus on software safety that would help keep users from hurting themselves — much as an automatic transmission requires the driver to step on the brake before putting the car in gear. For example, operating system (OS) interfaces would allow trusted antiviral software to ask the OS to block execution of new programs until the software can update its signature. Enterprises should make it clear to Microsoft that they will base their use of .NET services and future Microsoft software products on clear evidence that they have become more trustworthy.

Analytical Source: John Pescatore, Information Security Strategies

Need to Know: Reference Material and Recommended Reading

• “Secure Windows: Oxymoron or on the Horizon?” (SPA-14-7346) Microsoft's Secure Windows Initiative contains the elements for greatly improving the security of Windows server software. By John Pescatore
• “IIS Web Server Security: Change Products or Processes?” (DF-14-6578) Enterprises continually impacted by IIS attacks should increase the effectiveness of their security controls or change to a Web server product that is less vulnerable. By John Pescatore

(You may need to sign in or be a Gartner client to access all of this content.)