Microsoft gets serious about security, part 2

by Preston Gralla

In my last blog , I wrote that Microsoft has finally gotten serious about security - and a lot of you weighed in. There were Microsoft-bashers and Microsoft defenders, and the twain didn't meet.

Well, I'm back to say that there's more evidence that the company has seen the light when it comes to security. The evidence this time: Microsoft senior vice president Bob Muglia admitted to CNet that the company's attempts to harden its software against attacks is slowing down product rollouts.

"It's absolutely slowed things down," he told the news site. "This work is making our software come out not as quickly."

Products affected include updates to developer tools and SQL Server, both of which will be delayed until next year. That, in turn could delay other Microsoft products whose development depends on those programs.

I think it's more than likely that the continual slipping of Longhorn's shipping date is tied to security work as well.

Now, I'm sure some of you will argue that security is just an excuse that Microsoft is using to hide behind - after all, when has a Microsoft product actually shipped on time? But this time around, the company isn't using security as an excuse. In the past, Microsoft would rush products out the door, willy-nilly, and security be damned. That's no longer the case. It's now willing to risk shipping dates of its most lucrative products - including the core operating system - to make sure its software is secure. The cynical among you may say that this newfound focus on security comes only for business reasons, that Microsoft recognized unless it releases more secure software, competitors like Linux will become more popular.

I say, who cares why the company is doing it? For whatever reasons, Microsoft has seen the light. Yes, it may mean a slower product pipeline, but that's better for all of us.

Do you think Microsoft has gotten serious about security? Let me know.


2004-03-17 13:39:42
Secure by Design?
I'd be more curious to know (that is, if I had a need to use any Microsoft software) whether they are redesigning their software to address their security problems or just trying to refactor existing code based on the same, flawed designs.

In my experience, any modertately sophisticated software I've written that was not designed with security as a priority was not easily secured later. In fact, most of my work trying to do so ends up being fundamental design changes, and this type of work is likely to introduce more bugs (and many security issues turn out to be bugs in the software). The best solution is always a new design (or to do it right the first time, of course).

Apple started from scratch with OS X, and depending on who you ask, it only took them a few years to produce a stable and secure OS. Microsoft has many more resources (financial, human, etc.), so presumably they could do the same. OpenBSD is considered by many to be the most secure OS, so why not start with it? I'm sure any licensing issues can be worked out, since Apple has already forged the path.

I would bet that most people who are labeled "Microsoft bashers" would love for Windows to be a better OS, comparable to Linux, OS X, OpenBSD, etc. After all, even the alpha hackers often have parents or friends who use Windows, Microsoft stock, or an interest in the US software industry and economy.

2004-03-17 17:47:46
Getting better
I am a self-proclaimed Microsoft hater. I worked on their stuff for years and jumped ship for better harbours.

That's just to clear the air and let you read this with the right colored goggles. :)

Still, my mind is not so closed as to think that a more secure Microsoft can be anything but a "good thing". I agree with the previous poster though... For everyone's sake, I hope they are actually focusing on the numerous design flaws that they have introduced over the years. If all they are doing is fixing buffer overruns in code and subsystems that should be ripped out completely instead of fixed, we're all going to be underwhelmed.
2004-03-17 20:37:02
What's in a promise?
The cynical among us will also note that for a company with pockets as deep as Microsoft's, it isn't much of a setback to "delay" their most lucrative products.

I am explicitly excluding myself from the Microsoft haters, btw. This might seem paradoxical, given my stance about their practices in many respects. If I were in their position, I would however.. wel.. do exactly the same. They're an enterprise, not a wellfare organization. I believe that any company in a position such as Microsoft's would be harmful to the business. I wouldn't trust Sun or Apple or IBM or Novell an iota further than I trust Microsoft, were they in the same position; some of them would be less overbearing than Microsoft, others might be more. It doesn't matter.

Microsoft simply have more power than any enterprise should be allowed. Their getting (a little bit more) serious about security can only ever be a partial solution.

I love IBM for their (not-so-)new, open source community friendly course, but at the same time I am glad that Novell is stepping in as another major player in that market, and I am glad that neither controls Linux in the actual sense.

"Loving" or "hating" Microsoft is a trivializing point of view; I am often somewhat embarrassed about people who rant against Microsoft because they're speaking as much nonsense as the lovers. Unfortunately, as I am all too aware, a lot of the time I don't invest enough time in my arguments to come across as something more than a Microsoft basher; I guess I should at some point post a writeup about this somewhere so I have something to refer people for more a detailed view.