On January 15, 2002, Bill Gates sent email to every full-time employee at Microsoft, in which he describes the company’s new strategy emphasizing security in its products. In the email Gates referred to the new philosophy as “Trustworthy Computing” and called it the “highest priority”.
The Computerworld posting Microsoft Can’t Claim Victory in Security Battle picks up the story.
As Gates officially retires from his job at Microsoft, he leaves behind a company that by most accounts is doing better on security. But fully convincing users of that is an elusive goal. And increasing competition from Web 2.0 and software-as-a-service (SaaS) vendors is posing new challenges for the security development model implemented after Gates wrote his memo.
There is general agreement that bugs are inevitable and that Microsoft’s massive user base makes it a big target for attackers. But the steady drumbeat of patch releases has tarnished the company’s efforts to improve its security standing, …
The original blog posting “Trustworthy Computing” - Yea, Right, Sure
was posted soon after the “Trustworthy Computing” memo hit the Web. It has been updated since.
Yea, right, sure, Bill. Sending Microsoft coders off to security and reliability coding school is going to make thing all better real soon. If you believe that, I have a bridge to sell you. Anyone sent off to training comes back knowing some new buzzwords and maybe even understanding a couple new concepts.
I applaud the effort, but it takes a very long time to break old coding habits and internalize new ones, no matter what the punishments and rewards are. No one comes back cleansed of old habits. I’m reminded of the limerick that you can train a dog but you can’t make it think.
I think the problem facing Microsoft is systemic. In my opinion, poorly designed code and poor coding practices may be at the heart of the Microsoft security and stability epidemic. Detecting and eradicating them may be impossible.
If it could be done, the effort may cost many times that of developing and testing the product line in the first place. Automated tools will help pick off the very low hanging fruit, but won’t get anywhere near the really nasty problems that seem to exist throughout Microsoft’s product line.
Bill Gates seems to have made choices about security and reliability early on. There’s no practical way to rectify them now, except maybe by starting from scratch.
Even starting over with Vista won’t fix the problem. The real culprit may be Microsoft’s corporate culture created by Bill Gates. Getting a culture’s head straight is a very difficult, if not an impossible task.
In my opinion, the fundamental problem facing Microsoft isn’t a technology one but a human one. I don’t think any amount of training or engineering will fix it.
Besides corporate culture, I don’t think starting over is a likely option for Microsoft, as I discussed in the Obese Windows blog posting.
Microsoft security issues are getting better. I don’t foresee them improving to the state of common contemporary operating systems such as Mac OS X, Linux, Solaris, HP/UX, AIX, Free BSD, Open BSD, etc…
I also don’t expect seeing the company culture change radically. Bill Gates may have left the building but he is still Chairman of the Board and the company’s largest share holder.
No comments:
Post a Comment