When Christian Christiansen, an IDC IT security analyst, was briefed by people at Microsoft before the company launched its Trustworthy Computing initiative eight years ago, he was frank: "I told them 'You know it's going to take you 10 years to even start to change widespread customer opinion about how bad you are.'"
Christiansen thought they'd be offended but was surprised when they responded, "We know." They said they believed it would take more than 10 years to erase the perception that they made buggy software with weak security.
"I was struck by how long-term their focus on this was. I've never known any company that sticks to a 10-year plan for anything, at least not in the technology area," he said, during a panel discussion with other industry analysts at RSA Conference 2010 Tuesday in San Francisco.
The panel discussion followed a morning keynote address by Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, in which he delivered the latest news about the company's efforts to enable secure "End-to-End" computing. Although noting that Microsoft's efforts to develop more secure software need to continue, the panelists gave the company a solid for what it's done so far.
In the past, Microsoft was "the poster child" for bad software with security vulnerabilities, said John Pescatore, a vice president at Gartner Inc., who added that the company realized security had to become a higher priority when customers told Microsoft, "We can't live like this."
Today, Microsoft is not only better focused on writing secure code, but also at providing incentives to product managers to ship secure software, Pescatore added. "So the product manager gets $1 million in stock options, not just because he got the product shipped on time but because there weren't security issues with the product," he said.
Now, Pescatore continued, other companies are getting bad press about security holes in software, such as the announcement last week from Adobe revealing a "critical vulnerability" in its Adobe Download Manager versions 188.8.131.52 and earlier that run in Windows. Adobe said the vulnerability could potentially allow an attacker to download and install unauthorized software onto a user's system.
"You start to see a lot of these other vendors having to go through a lot of what Microsoft went through years ago by injecting security into their products," he said.
To be sure, Microsoft still takes its lumps. Monday, as Computerworld's Gregg Keizer reported, Microsoft had to warn Windows XP users not to press the F1 key on their computers when prompted to by a Web site viewed on Internet Explorer because it was a trick to hijack the computer. Also, one of the ways in which hackers in China were able to access the Google Gmail accounts of Chinese dissidents was by exploiting a vulnerability in IE 6. And IT managers still have to circle one Tuesday a month on their calendars to remind them of "Patch Tuesday."
While Microsoft still faces security challenges, "I think they've done a good job of addressing some prettty fundamental issues," added Jonathan Penn, a vice president at Forrester Research.
What do you think? Has Microsoft significantly improved the security of their software products? Or have I just been taken in by their marketing machine? Let me know.