It was as recently as last years RSA conference, in San Jose, that Microsofts security "strategy" was a laughingstock—literally. As a speaker tried to persuade attendees of what passed for security in Windows 2000 during an RSA session in January 2000, titters from the audience prompted him to say, "I know. I know. They are trying." And this was before the ILoveYou virus.
Now, theres evidence that Microsoft has tried, and learned. And now it is doing everything right in the never-ending security battle. That doesnt mean that it is succeeding or will succeed. But it does mean that the company has undergone a complete reversal in its attitude toward security.
It was at this years RSA conference, held a couple of weeks ago in San Francisco, that Microsoft detailed its new security plans. Before, any time Microsoft mentioned security, it was only lip service. Now it has actually accomplished something, most notably in the area of internal education for its own developers and new methodology in how products are designed: with security in mind from the foundation, not as an afterthought that results in dozens of post-release security patches.
The company has recruited university and corporate laboratories around the country to pull apart its source code and look for security bugs. It has come up with a code-signing system that will help prevent the Visual Basic script worms that have dogged the company for the past year.
Granted, Microsoft hasnt turned around solely for its customers well-being. But the Redmondites did see the writing on the wall: Get your security shop in order, or Linus Torvalds and Steve Jobs will be eating your lunch.
"Security is a journey, not a destination," said Microsofts vice president of Windows servers, Dave Thompson, at the RSA conference. If Microsoft really means it this time, then it has indeed left the road to ruin and switched to what for them is the road less traveled. Lets hope that makes all the difference.