At Gartner Symposium/ITxpo, Microsoft CEO Steve Ballmer tried to disabuse the thousands of IT executives attending the conference of two notions: Windows software is hopelessly insecure and Linux offers a better TCO (total cost of ownership) than Windows.
I don't think he disabused too many people of their scepticism about Windows security with his rhetoric, but he at least put the issue in perspective. "At this stage we have learned a lot more about security than anybody else in world, and we need to focus in on a few things," Ballmer said. At the top of his list: engineering fewer vulnerabilities into software and educating users on how to stay more secure. He also equivocated on Bill Gates' statement that security would not be a top three priority for Microsoft two years from now. "We expect to make a boatload of progress in the next two years. Whether the statement is true or not remains to be seen. It expresses Bill's fundamental optimism about the good work he thinks we are doing in this area -- if we don't get there, we will keep it [security] as a top priority until it doesn't need to be there anymore," Ballmer said.
Gartner analyst John Pescatore predicted that by 2005 software will start to ship that is built from the ground up with security in mind. Removing 50 percent of vulnerabilities in software prior to deployment will result in a 75 percent cost reduction for configuration management and incident response, Pescatore said. Several companies are developing tools for tracking down and eliminating vulnerabilities, such as buffer overflows, during the development process.
Ballmer also claimed that Windows has fewer vulnerabilities than Linux and that Microsoft produces security fixes faster than the Linux community. Despite his claims about Microsoft's superior record of security remediation versus Linux, Ballmer admitted that customers need more reassurance. "What people really want to know is, do you meet the bar -- are you providing what we need on the security front. The answer for most customers is that they want us to do more," Ballmer said. He did acknowledge that as Linux become more popular, hackers will find it a more attractive target.
Of course, there are counter arguments, such as that Microsoft's software monoculture poses a security risk. It's not a contest to see who has the most vulnerabilities or who fixes holes faster, however; it's which platform suffers the most attacks and costs enterprises more, and Microsoft clearly leads on that front.