At Microsoft, Security Trumps App Compatibility

In a sea change of philosophy, Microsoft is working to put security ahead of not just features and functionality, but also legacy application compatibility.

In a sea change of philosophy, Microsoft Corp. is working to put security ahead of not just features and functionality, but also legacy application compatibility.

In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software.

The approach represents a major change in thinking at Microsoft, which has traditionally put the user experience—including usability and compatibility—at the forefront of its development efforts. Now, with security topping the requirement list for all products, especially the overdue Windows .Net server family, something will have to give, and legacy application compatibility seems to be the prime candidate.

"Customers are increasingly focused on security, even if this means backward compatibility is broken," said Doug Bayer, director for Windows security at Microsoft, in Redmond, Wash. Craig Mundie, a senior vice president at Microsoft and the companys chief technology officer for advanced strategies and policy, added, "We are opting for security rather than legacy application compatibility."

But many users disagree with this approach, saying that the goals of security and backward compatibility shouldnt be mutually exclusive.

"I wont even plan a move to new servers until I know I can use my existing application base," said David Moskowitz, CIO and CTO of Productivity Solutions Inc., based in Bala Cynwyd, Pa. "The .Net servers arent done until they deliver both compatibility and security."

Some, however, said Microsoft is making the right move. "The corporate buyer particularly ... wont tolerate insecurity any longer. It costs too much to be constantly making up for shortcomings," said John Parkinson, vice president and chief technologist at Cap Gemini Ernst & Young LLC, based in Rosemont, Ill. "To their credit, Microsoft is trying to do something about security; to their discredit, it has taken them a hell of a long time to figure it out. [Microsoft is saying] you can have it now, or you can have it secure, but you cant have both."

Until now, much of what Microsoft has said about its Trustworthy Computing initiative has centered on its code review and developer training efforts. But, as more details trickle out, it has become obvious that the strategy is much broader than that and will likely include the development of dedicated security products.

To that end, the company recently formed a new group, the Security Business Unit, under Vice President Mike Nash, who now reports to Brian Valentine, the senior vice president of the Windows division. The SBU is responsible for desktop, server, network and infrastructure security products and solutions. The group will look at what kinds of additional security products and technologies customers will need to enhance their overall network security infrastructure. The SBU will be responsible for delivering these types of products, including the next versions of Internet Security and Acceleration Server—the companys only security product to date—and any future products in the security line, officials said.

Microsoft has also said it is planning to ship products that are "secure by default"—with features that dont load automatically upon installation. In a rare move, Microsoft delayed shipping its recently released Visual Studio .Net product to OEMs to ensure that it ships secure by default. It has also delayed the launch of the Windows .Net Server line.

Microsofts Bayer said that in the last few weeks of security review, Microsoft decided to ship the upcoming Windows .Net Server line with Messenger, NetDDE, license server, content indexing and NetMeeting in lockdown by default.

Microsoft is also increasing accountability internally for security across its product lines. Every source file and binary component that ships will now have to have an owner, a staff member who will have to sign off on the fact that the code has been reviewed against the threat models, Bayer said.

But it remains to be seen whether all this is enough to woo customers from their platforms.

"We dont upgrade systems that work and dont appear to have vulnerabilities," said Horia Tudosie, IT manager and system architect at SkyLink Travel Inc., in Toronto. "It is not only the cost and the time lost associated with such an upgrade but also the worry that the new system wont support legacy apps."

Related stories:

  • Trusting in Microsoft
  • Microsoft: Fix Privacy at All Costs
  • Microsoft Gets New Security Chief
  • Gates: Security Over Features
  • Following Through on Priority 1: Security