MS sets eyes on security

Techies who’ve spent countless hours in the trenches cleaning up in the wake of a virus targeted at weaknesses in Microsoft software might be encouraged by Bill Gates’ recent decision to make security a priority – but they shouldn’t breathe a sigh of relief just yet.

In an internal memo sent to Microsoft employees and leaked to the press, Microsoft’s chairman and chief software architect called for a shift in the software giant’s focus towards security – a strategic initiative he dubbed “trustworthy computing.”

Though John Pescatore, a research director for Internet security at Stamford, Conn.-based Gartner Inc. believes that the memo is at least in part a publicity ploy, he also said in the past these internal Gates memos have had a profound effect on Microsoft’s direction. But even if the company is serious about building better security into its products, it will take years for that change to take root, Pescatore said.

“Now, Microsoft has been building its culture for 20 years now, so you don’t just throw a memo out and yell at people for a while and change a culture.”

It will take at least one to three different versions of Microsoft’s various products for its new-found commitment to security to show itself, said Jonathan Eunice, principal analyst and IT advisor at Illuminata in Nashua, N.H.

“You don’t just reengineer a product from a security perspective overnight – you’ve got to build that in.”

This is something Microsoft is ready to admit.

“We don’t have all the hard plans in place based on this announcement…It will take the next few years to see the repercussions of that really to come forward,” said Mike Lonergan, a security consultant with Microsoft Canada in Toronto.

The shift in Microsoft’s strategy comes as a result of customer feedback and a recognition that the nature of computing is changing, Lonergan said.

“We’re recognizing that the industry is changing – that where we are today is hardly anything like where we were ten years ago when customers of ours were hardly ever on the Internet, weren’t in this kind of interconnected, always-on environment that presents a very different threat than did for customers that were merely connecting to each other over dial-up lines or on internal corporate networks.”

But Microsoft’s customers have been surfing the Net and writing e-mail for quite a number of years now.

“Well, I think it’s fair to say that this is yet a stronger commitment to security than we’ve had before. It’s not like Microsoft hasn’t been building security into its products or hasn’t been building products with security in mind over the last five or ten years,” Lonergan said.

Over the past few years, hackers have taken advantage of holes in Microsoft products to unleash the likes of Melissa, the ILOVEYOU bug, Nimda and Code Red. In addition, Microsoft’s own internal systems have proven themselves to be open to vulnerabilities.

“The security attitude of many of these products is, frankly, just pathetic. I call it guts-exposed programming,” Eunice said.

But Microsoft’s stronghold in the software market makes it an attractive target, Lonergan said.

“Hackers are usually finding the same types of holes in Microsoft software year after year after year. Microsoft keeps building them in,” Pescatore said. And most of the hackers aren’t generally that talented, he said.

Microsoft recognizes that it needs to address its security issues if it is going to push its .Net strategy forward, said Alister Sutherland, director of software for IDC Canada in Toronto.

Part of the problem is that the company in the past has overlooked security in its haste to get new feature-rich versions of its software out to consumers in order to bolster sales, Pescatore said.

In the memo, Gates wrote that, in the future, given a choice between adding features and adding security, the company now needs to choose security.

This would be a welcome change, if true, Sutherland said.

It’s just very easy to add features rather than putting in reliability and quality, Eunice said. Though consumers are seduced into upgrading products by new features, most add little value, he said.

“It’s kind of like being in a candy store. If I go into a candy store, yes I want a chocolate-covered cherry, and yes, I want one of those raspberry surprises… but if as a consumer, I actually eat all of those things – one I get fatter, two, I get empty calories.”

But Pescatore doubts that the new strategic focus would mean leaner products from Microsoft.

“You’ve got to throw new ‘gizzywidgets’ in to cause people to upgrade, and Microsoft will have too.”

It’s the frequent releases filled to the brim with new features that drive Microsoft sales, as well as those of hardware companies, resellers and third-party vendors, he said.

“The example that Bill (Gates) used by saying, ‘If you have a choice between an additional feature and security, you shall now choose security,’ I think that’s actually something I would describe as an edge case. That’s one of the extreme decisions that would be made probably near the end of a development process,” Microsoft’s Lonergan said.