Microsofts conversion in the past year to embrace security as a corporate mission is cause for a shout of hallelujah—almost. The Secure Windows Initiative was launched a year ago, but the turning point came in January, when Bill Gates issued a memo exhorting employees to put security ahead of all else, including functionality. Last month, Microsoft Chief Technology Officer Craig Mundie said that security is so important it will take precedence over backward compatibility.
Hold on a minute. Its great that Microsoft has gotten religion with regard to security. But customers are entitled to bristle when the company casually discards backward compatibility in the bargain.
Is Mundie finally admitting what many Microsoft haters believe, that Microsoft products are so fundamentally insecure that the entire legacy must be scrapped? What does that say about Microsofts credibility in promoting these products, not to mention the skill of its architects and programmers in building them? And does this mean Microsoft must enact a forced user migration to generate a license revenue stream to pay for the building of new, secure software?
If that werent enough, Microsoft is asserting in antitrust proceedings that security vs. API disclosure is an either/or choice. That just isnt true. "Security through obscurity is always a bad idea," wrote open-source maven Bruce Perens in a widely circulated essay almost four years ago. No competent security authority disagrees. And API disclosure by Microsoft is essential to a competitive software market.
Gates said in his memo that if customers cant trust his companys software, nothing else will matter. Hes right that trust is critical. But breaking backward compatibility or putting crucial APIs under a burka undermines trust just as surely as insecure code does.
Maybe Microsoft should put trust—instead of security—at the top of its priority list. The first step would be to be honest about its approach to security in its products.