To be sure, Microsoft doesn't have a great history in this space, and while it's made progress in tightening up holes, generating patches and educating its users, there's still an awfully long way to go.
I'm of the opinion that the company has the ability and desire to really make a difference, but there's a nagging element of skepticism that the buzzwords will solidify into reality. An interview with newly appointed CSO of Microsoft U.K., Stuart Okin, and ISA marketing manager Ben English, shed some light on where the company is going, but there are still a few shadows to dispel.
Microsoft has proven in the past that it can swallow a mistake, implement a complete reversal of strategy, come out with all guns blazing and make a serious dent in a fresh market. With the sort of resources it has available, there's no reason why the company shouldn't be able to do the same here: make security a real issue for itself and achieve some real progress.
But I'm not sure they will pull it off, at least in the short-to-medium term. There's a lot more rhetoric than results coming out of Redmond at the moment, and the market doesn't want big words, it wants concrete evidence. Real results aren't going to be achieved without some real pain, and Microsoft wants pain no more than any other developer. The pain would come in several forms; massive code reviews are essential (and costly) for a start. But there would also be real pain in frozen development - projects which must be delayed and pushed back to ensure that they really can meet more stringent quality assurance criteria - criteria that have security at their heart. More resources for security training, testing, patching ... these will absorb funds and manpower, and inevitably there will be a pinch.
Until I see some signs of that pain, I'll treat declarations of overflow-free products with the pinch of salt they deserve. Last year Jim Allchin made the mistake of declaring Windows XP "buffer-overflow free," a laughable claim that has been proved wrong in numerous exploits since. Red flags went up in many heads immediately, not because there were vulnerabilities in XP (what product has none?) but because Microsoft appeared to believe that the code audit conducted on Windows XP really had crushed all the overflows. Something was very wrong, either with Allchin's claims, the audit, or both. Either way, reassurance was not forthcoming, and a security reputation took the knock it deserved.
Is this fresh crop of security proselytizing any more reliable? Unfortunately, only time will tell whether the company has managed the turnaround it so badly needs. Faced with a dubious market, the company will have to exert itself all the harder to sway confidence in its customers and partners.
There are questions, too, on the privacy and disclosure fronts. In the former case, it appears the company has learned the hard way that the market simply will not trust a single entity (especially one with such a clear commercial vested interest) to hold the keys to their privacy, and Project Hailstorm (a.k.a. "My Services") has been quietly shelved, a single year since its investiture. That, of course, knocks a crucial leg out from under .NET, which was already being asked some pointed questions about security and trust. What Microsoft will do with Hailstorm remains to be seen, but it could become just another example of a Microsoft strength - the ability to perform a U-turn, absorb the cost and still remain focused.
On the matter of disclosure, Microsoft is keen on the idea of withholding vulnerability announcements until they are patched, which has pros and cons. The window for malicious development on the back of the announcement is indeed reduced, but the assumption that black-hats will not figure it out anyway is a risky one, and the window for interim workarounds and patches is also firmly closed. Given the preponderance of vulnerabilities discovered by third parties, the pros may not outweigh the cons in the Microsoft party line.
In the meantime, the security market itself is looking more attractive to Microsoft all the time. The company is not oblivious to the glowing reports from analysts about the expected worth of the market. The question is, which segment will it attack, and when? The company has already established a foothold in the firewall space. My money is on the appliance market next - the market's littered with network and security appliances running Linux or BSD variants, and it's making money fast.
If anyone has the muscle and track record to turn over a new security leaf and spring ahead from a standing start, it's Microsoft. Whether they will get beyond the rhetoric remains to be seen, but we should see results either way in the next few months.
Jon Tullett is U.K. editor of SC Magazine (www.scmagazine.com)