Microsofts Security Dilemma

There seem to be two competing visions at the company-one in which security is paramount and another in which top priority goes to features that make it easy for anyone to build applications.

Software vendors, like Presidential Candidates, should be held accountable for taking consistent positions and following through on them. Too often, corporate officials make statements that sound good but dont carry over to product design. One example—although not the only one—is Microsoft.

Bill Gates ended March with a memo to customers in which he detailed Microsofts plans to improve security throughout its products. This memo is an impressive document that points out advances that Microsoft has already made and improvements for the the future. If the plans in this document were brought to fruition, they would make the Internet safer and go far to correct Microsofts poor reputation for security.

/zimages/4/28571.gifClick here to read more about Microsofts security initiatives.

In the past, something else—usually "cool" features—has almost always sidetracked Microsofts security initiatives. Recent statements by the chairman and chief software architect indicate that this behavior pattern may be continuing. At the recent Gartner ITxpo in San Diego, Gates discussed many of Microsofts plans for the future, among them one to include more visual modeling in Visual Studio. Now, visual modeling is a useful tool for developers, but Gates spoke of visual modeling as the foundation for future development and claimed it would reduce actual coding greatly.

Upon hearing that statement, many experienced developers probably cringed. Overreliance on visual modeling, especially on the part of nondevelopers—a benefit specifically touted by Gates—is almost a guarantee of poorly designed and insecure programs. Even worse, since these visual tools encourage reuse of components without any visual vetting of the code, the likelihood that a single bad component might spread quickly through multiple projects is very high.

There seem to be two competing visions at the company—one in which security is paramount and will drive all product decisions and another in which top priority goes to features that make it easy for anyone to build applications. In the past, company officials have often said the right things about quality and security, only to give in to the lure of nifty features that add pizazz to demos and keynote speeches.

This tendency has led to ill- advised moves, such as scripting in e-mail, ActiveX controls, and systems with default configurations that have every feature turned on whether someone uses them or even wants them. Those who care about Microsoft and security have deeply regretted such "innovations."

But the past doesnt have to predict the future. Perhaps security considerations will win out from now on when they go head-to-head with the cool but risky new features in the development lab. Theyll have to if Microsoft is to continue its drive to be a major enterprise player. If the companys leaders let their heads be turned again by sexy but dangerous new features, many enterprise customers wont be giving them another chance.

eWEEK is interested in your views. Send your comments to

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: