Whether you choose to believe it or not, Microsoft appears to finally be getting its security house in order. No, frequent patches, like yesterday's corrections to critical flaws, are not evidence that secure computing for Microsoft is an impossible task. On the contrary. Microsoft, probably more than any other vendor (because of what it has been through), knows more about what it takes (technology-wise, business process-wise, timing-wise) to secure its customers than any other non-security vendor in the computer industry. That doesn't mean that there still isn't a To-Do list with items left on it. ID management is overflowing with enough companies and options to make your head spin. But it does mean that Microsoft, between what it's doing for existing users of its products and what it's doing in the next version of Windows (Vista), is on the right path.
There's other evidence of Microsoft's progress. While vulnerabilities still exist and new malware that exploits them continues to turn up, it has been a long time since malware that exploited a vulnerability in Microsoft's operating systems or applications resulted in a widespread outbreak or a serious disruption on the order of something like SoBig, CodeRed, Melissa, or the infamous ILOVEYOU worm that "celebrated" its sixth anniversary last week. As Windows' "surface area" (digital security-speak for multiple swaths of vulnerabilities) continues to shrink, malware developers will increasingly be looking elsewhere for trouble (for example, some mobile platforms and, more recently, Mac OS X). In its Spring 2006 Top 20 List of Security Vulnerabilities, the SANS Institute #1 listed item said:
Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)
When I think of words that foster confidence, or even hope that the situation will be corrected, "tatters" is not one of those words.
The traditional security vendors appear to be scrambling as well. Shortly after a recent meeting with Gene Hodges during which the then-CEO of McAfee told me that the company was going to do just fine despite Microsoft's inclusion of competing security software and services in Vista, he jumped ship. Usually, CEOs stick around companies with a lot of upside. More recently, when news of OS X's vulnerabilities turned up, McAfee went on the offensive and launched a Mac security product with an accompanying PR campaign that Yankee Group analyst Andrew Jaquith lambasted as scaremongering. Desperate moves by a company that could be taking on water? You decide.
Meanwhile, after Fred Felman and Te Smith, a dynamic security duo that helped propel personal firewall maker Zone Labs to the stratosphere (and acquisition by Checkpoint), left Zone to join another security outfit (Tenebril), it wasn't long before both moved on. Said Felman of the entire security business at the time, "It's beat." Fellow Richard Stiennon who was a security analyst for Gartner before doing a short stint with spyware stomper Webroot and who is now a blogger for ZDNet (in addition to founding IT Harvest), took umbrage at the idea that the security industry was out of gas. Sorry Richard. I'm with Felman who spent the better part of the last decade selling security products. When someone like that says the business is beat and backs it up by leaving it, the business is beat.
Need another smoking gun? I don't think you have to look beyond Symantec which has been diversifying its portfolio over the last few years; a strategy that, judging by CEO John Thompson's more recent comments about identity management, isn't done yet. Since the beginning of 2005, Symantec has been on the acquisition trail having acquired Veritas Software, Sygate, WholeSecurity, BindView, IM Logic and Relicore. Some of these companies are squarely in the security space. Others, like Veritas and Relicore are more about systems management and reliability (tangentially connected to security, but not a direct hit). This week,
Thompson indicated his quest may not be over, citing identity management (more closely tied to security, but not the sort of security that Symantec typically covers) as a category that interests him. Identity management? Symantec. It will be interesting to see where Thompson takes this. ID management, especially in the business space, is overflowing with enough companies and options to make your head spin. Not to mention how the key operating system players like Microsoft, Sun, and Novell (which is readying the official release of a new, open source-based ID management solution known as Bandit) have offerings in the space as well. Next on my blog to do list: What I'd do if I were CEO of Symantec.