Nothing drives a business like customer demand. When customers say they want X or they’ll go with competition, well, you do it or risk losing their business. Nearly 10 years ago this is where Microsoft found itself. Their product security was in terrible shape. No shortage of vulnerabilities resulting in widespread and devastating compromises with patches unpredictable and long in coming. Customers were fed up and threatened to dump Windows for Linux if things didn’t change. They meant it. Bill Gate’s, then Microsoft CEO, recognized the seriousness of the situation and authored the famous Trustworthy Computing memo.
“Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work.” (emphasis mine)
“Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways.”
From this executive-level mandate was born the Microsoft Software Development Lifecycle (SDL), into which security was tightly integrated. In the words of Michael Howard (Principal Security Program Manager, Microsoft) the goal of the SDL was/is to, “Reduce the number of vulnerabilities and reduce the severity of the bugs you miss.” Practical, straight forward, and most importantly measurable and achievable.
Flash forward to today, practically no one would argue over the enormous progress Microsoft has made in security with the unveiling of Windows 7, Internet Explorer 8, and other new software packages. Microsoft is now the corporate standard by which all other software security programs are compared. BUT, this success might also be the very thing that halts significant SDL gains in the future.
Look at it this way, in security terms, Linux no longer poses the threat to Windows it once did. When customers choose between Windows and Linux, save for maybe a Google PR play, “security concerns” are not a huge differentiator. Today purchasing decisions are based upon performance and utility, to a lesser extent "safety," but not so much "security." As such, customer demand for a more secure Windows has evaporated. Windows has become “secure enough” relative to available alternatives. Maybe the application on top do, but from a market adoption perspective Windows itself doesn't really need to be any more secure.
Now I don’t know this for a fact, but it wouldn’t surprise me if internally at Microsoft the ability to justify resource expenditure on Trustworthy Computing and the SDL is more difficult than in years past. Today, more security is not really going to drive more business for them. However, some security products they offer do directly drive revenue. So they'll be safe and invested.
Finding external indicators of the overall theory will likely prove challenging. If the theory is correct we’ll probably see security brain drain and rumors of program budget cuts. Time will tell.