Microsoft Can't Claim Victory in Security Battle

In 2002, Bill Gates changed the way Microsoft develops software. But the company has had a harder time altering users' perceptions of how secure its products are.

This version of the story originally appeared in Computerworld's print edition.

Nearly six and a half years ago, in the aftermath of the 9/11 terrorist attacks and amid concerns about growing online security threats, Bill Gates sent out a companywide e-mail at Microsoft Corp. that some people consider his most important internal memo ever.

Titled "Trustworthy Computing," the Jan. 15, 2002, missive stressed the need for Microsoft to focus on building more-secure products. "As an industry leader, we can and must do better," Gates wrote.

As Gates officially retires from his job at Microsoft, he leaves behind a company that by most accounts is doing better on security. But fully convincing users of that is an elusive goal. And increasing competition from Web 2.0 and software-as-a-service (SaaS) vendors is posing new challenges for the security development model implemented after Gates wrote his memo.

The memo set in motion a series of fundamental changes at Microsoft. It led to the creation of the company's Security Development Lifecycle (SDL) process, which was meant to ensure that flaws would be caught during development — not after products were released. Millions of dollars were spent to put every developer through SDL training, and work on Windows was shut down for 10 weeks while the training was done.

The marching orders issued by Gates also resulted in the monthly "Patch Tuesday" release schedule that Microsoft adopted in October 2003. In addition, his memo set the tone for a gradual thawing of the once icy relationship between the company and external security researchers.

Prior to penning the memo, "Gates was the biggest reason why Microsoft was having so many security problems," Gartner Inc. analyst John Pescatore said. "He was a market-driven guy who said that [customers] didn't want more security but more ease of use."

Pescatore added that Gates' "epiphany" drove changes not just at the technical level, but also in how Microsoft evaluated product managers, reviewed product performance internally and decided that software was ready to be released.

Despite all that has been done, though, it has been harder than Microsoft expected to convince corporate buyers that the company's software is in fact more secure than it used to be, said Khalid Kark, an analyst at Forrester Research Inc.

That's true in large part because numerous holes continue to be found in Microsoft products — even ones that have gone through the SDL process from the start, such as Windows Vista. This month, for example, Microsoft issued seven patches to fix a total of 10 security flaws. In February, it released 17 patches, the most since the previous February.

"I think the whole environment has gotten better," said David Jordan, chief information security officer for the Arlington County government in Virginia. "But we still have 'Terrible Tuesdays,' and sometimes patches to fix patches."

In his eyes, the problem is that by the time Gates took action, Microsoft was simply too big to quickly put top-down changes into effect. Gates "did the right thing," Jordan said. "But did he do it soon enough? No."

There is general agreement that bugs are inevitable and that Microsoft's massive user base makes it a big target for attackers. But the steady drumbeat of patch releases has tarnished the company's efforts to improve its security standing, according to Kark.

"I think they expected an overnight shift in terms of perception. It didn't happen," he said. "It's only now that we're starting to see Microsoft being recognized as a company that understands security issues."

Pescatore said a potential new problem is that the SDL proc­ess may not be flexible enough for the Web 2.0 and SaaS models. But, he added, Microsoft has yet come out with "a lighter-weight version of SDL for products on a faster life cycle."

And not everyone is convinced that Microsoft has done enough. David Rice, author of the book Geekonomics: The Real Cost of Insecure Software, said he thinks that security has only gone from being a "tertiary issue" at Microsoft to being an "ancillary" one.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon