At Microsoft, Security Trumps App Compatibility

By Peter Galli  |  Posted 2002-04-01 Print this article Print

In a sea change of philosophy, Microsoft is working to put security ahead of not just features and functionality, but also legacy application compatibility.

In a sea change of philosophy, Microsoft Corp. is working to put security ahead of not just features and functionality, but also legacy application compatibility. In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software. The approach represents a major change in thinking at Microsoft, which has traditionally put the user experience—including usability and compatibility—at the forefront of its development efforts. Now, with security topping the requirement list for all products, especially the overdue Windows .Net server family, something will have to give, and legacy application compatibility seems to be the prime candidate.
"Customers are increasingly focused on security, even if this means backward compatibility is broken," said Doug Bayer, director for Windows security at Microsoft, in Redmond, Wash. Craig Mundie, a senior vice president at Microsoft and the companys chief technology officer for advanced strategies and policy, added, "We are opting for security rather than legacy application compatibility."
But many users disagree with this approach, saying that the goals of security and backward compatibility shouldnt be mutually exclusive. "I wont even plan a move to new servers until I know I can use my existing application base," said David Moskowitz, CIO and CTO of Productivity Solutions Inc., based in Bala Cynwyd, Pa. "The .Net servers arent done until they deliver both compatibility and security." Some, however, said Microsoft is making the right move. "The corporate buyer particularly ... wont tolerate insecurity any longer. It costs too much to be constantly making up for shortcomings," said John Parkinson, vice president and chief technologist at Cap Gemini Ernst & Young LLC, based in Rosemont, Ill. "To their credit, Microsoft is trying to do something about security; to their discredit, it has taken them a hell of a long time to figure it out. [Microsoft is saying] you can have it now, or you can have it secure, but you cant have both." Until now, much of what Microsoft has said about its Trustworthy Computing initiative has centered on its code review and developer training efforts. But, as more details trickle out, it has become obvious that the strategy is much broader than that and will likely include the development of dedicated security products. To that end, the company recently formed a new group, the Security Business Unit, under Vice President Mike Nash, who now reports to Brian Valentine, the senior vice president of the Windows division. The SBU is responsible for desktop, server, network and infrastructure security products and solutions. The group will look at what kinds of additional security products and technologies customers will need to enhance their overall network security infrastructure. The SBU will be responsible for delivering these types of products, including the next versions of Internet Security and Acceleration Server—the companys only security product to date—and any future products in the security line, officials said. Microsoft has also said it is planning to ship products that are "secure by default"—with features that dont load automatically upon installation. In a rare move, Microsoft delayed shipping its recently released Visual Studio .Net product to OEMs to ensure that it ships secure by default. It has also delayed the launch of the Windows .Net Server line. Microsofts Bayer said that in the last few weeks of security review, Microsoft decided to ship the upcoming Windows .Net Server line with Messenger, NetDDE, license server, content indexing and NetMeeting in lockdown by default. Microsoft is also increasing accountability internally for security across its product lines. Every source file and binary component that ships will now have to have an owner, a staff member who will have to sign off on the fact that the code has been reviewed against the threat models, Bayer said. But it remains to be seen whether all this is enough to woo customers from their platforms. "We dont upgrade systems that work and dont appear to have vulnerabilities," said Horia Tudosie, IT manager and system architect at SkyLink Travel Inc., in Toronto. "It is not only the cost and the time lost associated with such an upgrade but also the worry that the new system wont support legacy apps." Related stories:
  • Trusting in Microsoft
  • Microsoft: Fix Privacy at All Costs
  • Microsoft Gets New Security Chief
  • Gates: Security Over Features
  • Following Through on Priority 1: Security
    Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

    He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

    He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

    He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

    He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

    He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

    His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

    For numerous examples of his writing you can search under his name at the eWEEK Website at


    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel