Commentary: If security fails, .Net fails

By John Pescatore, Gartner analyst

Microsoft has committed to making its products more secure and worthy of customers' trust. The philosophy outlined in a memo from Bill Gates this week lays out most of the imperatives that Gartner believes are necessary for Microsoft to change the software maker's long-established product management and development culture.

	See news story: Security gurus welcome Microsoft's goal

Microsoft became the world's most powerful software company by building software that gave the individual the control. Upgrades and new software always included more features to allow people to do more things. Product managers got promoted by shipping software on time with enough new features to compel customers to upgrade. Crashes and sloppy programming that left gaping holes for hackers became problems of secondary importance.

With the Internet, however, security vulnerabilities became exposed to attack from any savvy programmer on the planet. If Gates' realignment of Microsoft to the Internet in 1996 had made security a prime concern for new Internet features, enterprises would have avoided many billions of dollars of cleanup costs because of the long list of viruses and worms that have struck Internet-connected servers and PCs.

Gartner believes that Microsoft is serious about making this shift because its .Net strategy will fail if the security initiative fails. Nevertheless, changing the management and development culture of such a large company poses a huge challenge, and it won't happen quickly.

Previous Gates memos brought results in less than a year, but the Internet and .Net visions played to Microsoft's instinctive worship of new features. Even with full commitment to security, Microsoft will need time to demonstrate support for a product manager who ships a safe product later or whose product takes longer for customers to adopt because it includes fewer new features to enhance safety. Gartner believes that concrete results from this new initiative will appear no earlier than first quarter 2003.

The new vision outlined by Gates lacks a focus on software safety that would help keep people from hurting themselves--much as an automatic transmission requires the driver to step on the brake before the car can be put in gear. Operating system interfaces could, for example, allow trusted antiviral software to ask the operating system to block execution of new programs until the software can update its signature.

Corporations should make it clear to Microsoft that they will base their use of .Net services and future Microsoft software products on clear evidence that they have become more trustworthy. Customers should monitor the company's progress and vote with their checkbooks--that is, by buying or not buying Microsoft products.

(For a related commentary on Microsoft's security vulnerabilities, see gartner.com.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.