In January, Microsoft Chairman Bill Gates issued a companywide memo that made a "Trustworthy Computing" initiative the top focus of his company.
See news story:
Allchin stands up for Windows security
The philosophy outlined in the Gates memo laid out most of the imperatives for Microsoft to change its long-established product management and development culture. Gartner agrees with Gates and believes that open-source review of Microsoft's code is necessary to meet security goals. However, statements by Jim Allchin, Microsoft's senior vice president for Windows, in federal court on May 7 do not seem to reflect Gates' views.
Computer hackers have had little difficulty breaking into Microsoft's closed-source software. A strategy of relying on security through obscurity (that is, hiding source code) has been proven to be a failure in Microsoft's case. To make future products more trustworthy, the company must become better at developing code that can withstand external review.
Gartner believes that open documentation and public review of program interfaces between operating systems and applications will lead, over the longer term, to stronger security mechanisms. The exposed interfaces would likely be subject to short-term exploitation as existing but yet undiscovered vulnerabilities are brought to light. However, this simply means that insecure code will become secure more rapidly, which will help Microsoft meet its goal of delivering trustworthy, secure software.
Gartner believes that security risk is not a valid argument against making source code visible. Whether the legal system should impose that as a remedy for Microsoft's alleged abuse of its monopoly is a matter for the courts to decide.
(For a related commentary on Bill Gates' security philosophy, see gartner.com.)
Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.