Friday, June 04, 2010

Microsoft security IS “good enough” and that’s the problem

Nothing drives a business like customer demand. When customers say they want X or they’ll go with competition, well, you do it or risk losing their business. Nearly 10 years ago this is where Microsoft found itself. Their product security was in terrible shape. No shortage of vulnerabilities resulting in widespread and devastating compromises with patches unpredictable and long in coming. Customers were fed up and threatened to dump Windows for Linux if things didn’t change. They meant it. Bill Gate’s, then Microsoft CEO, recognized the seriousness of the situation and authored the famous Trustworthy Computing memo.

“Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work.” (emphasis mine)

“Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways.”

From this executive-level mandate was born the Microsoft Software Development Lifecycle (SDL), into which security was tightly integrated. In the words of Michael Howard (Principal Security Program Manager, Microsoft) the goal of the SDL was/is to, “Reduce the number of vulnerabilities and reduce the severity of the bugs you miss.” Practical, straight forward, and most importantly measurable and achievable.

Flash forward to today, practically no one would argue over the enormous progress Microsoft has made in security with the unveiling of Windows 7, Internet Explorer 8, and other new software packages. Microsoft is now the corporate standard by which all other software security programs are compared. BUT, this success might also be the very thing that halts significant SDL gains in the future.

Look at it this way, in security terms, Linux no longer poses the threat to Windows it once did. When customers choose between Windows and Linux, save for maybe a Google PR play, “security concerns” are not a huge differentiator. Today purchasing decisions are based upon performance and utility, to a lesser extent "safety," but not so much "security." As such, customer demand for a more secure Windows has evaporated. Windows has become “secure enough” relative to available alternatives. Maybe the application on top do, but from a market adoption perspective Windows itself doesn't really need to be any more secure.

Now I don’t know this for a fact, but it wouldn’t surprise me if internally at Microsoft the ability to justify resource expenditure on Trustworthy Computing and the SDL is more difficult than in years past. Today, more security is not really going to drive more business for them. However, some security products they offer do directly drive revenue. So they'll be safe and invested.
Finding external indicators of the overall theory will likely prove challenging. If the theory is correct we’ll probably see security brain drain and rumors of program budget cuts. Time will tell.


SomeGuywithanOpinion said...

Please expound on your Tweet regarding the use of LiveCDs for secure web banking.
While not ideal, it's certainly more secure than doing it on a Windows based computer. Why? Because most people who would need to do that are home users and have not a single clue.

Jeremiah Grossman said...

@SomeGuy, while I'd agree that is technically the more secure option, its just not an option most users would actually consider. This solution is a false-choice in a way.

AppSec said...

Is MS Secure enough to justify cutting expenditures?

Short answer: No. With MS's history of security vulnerabilities and the constant abuse it takes for it, I can't see them cutting back anytime in the near future.

To me, MS's smart play is to turn into the NY Yankees (how appropriate I use that since I dislike MS and the Yankees). The Yankees don't stop spending because they've made a WS or even one a WS. They want to continue to dominate. One good thing about all of this security talk by all OS vendors (and cloud for that matter) is it is forcing the other to step up to the plate (so to speak).

MS would be foolish to back off now and risk sinking back to where it was.

Peggy said...

Nice posting at blog spot blog Nice blog and excellent post i really appreciate on hard work.

Unknown said...

As a software assemblage method expert and ALM MVP I specialist in the enforcement of Team Substructure Computer, Visible Flat and Microsoft ensure Administrator. I'm answerable for delivery to customers change their software bundle processes by decent implementing microsoft software Ag group Foundation Server tools in a really form that's congruous for his or her organization.