Microsoft's security complex

Microsoft's security strategy is hard to understand. This may be because it doesn't exist
Written by Leader , Contributor

Microsoft's new-found devotion to security hasn't been doing too well. Malware of all kinds flourishes, patches are issued in considerable numbers -- eleven so far this month -- and far from reaping a peace dividend from more secure, easier to maintain software the company has been out buying anti-virus and anti-spyware vendors. Why has Microsoft's multi-billion dollar research division not come up with a way to protect the company's own vulnerable software?

It may be panic. The rumour from within Microsoft is that the latest acquisitions came about because Bill Gates found spyware on his own PC and 'freaked'. An engaging vision, but not really the stuff of corporate strategy. Nonetheless, this explains Microsoft's actions as well as anything -- and if the company has a long-term strategy and roadmap for improving security, it's not sharing them with anyone.

There are concerns that if Microsoft gives away all its anti-malware tools, this will distort the market and be unfair on competitors. But if Microsoft ever produced properly secure operating system and applications, the Symantecs of this world would wither away and not be missed. The employment of the doctor does not take precedence over the health of the patient. All people want are computers that work and data that is safe.

To that end, Microsoft must be more open about its methodologies and principles for producing secure software. It can even lead the industry by encouraging informed debate in this area, and adopting open, audited design processes that concentrate on safety first. No airliner can be built without rigorous safety checks at all stages of the design and testing, no food factory is exempt from inspection. Something of that attitude must become part of the software industry in general and Microsoft in particular.

We can help by refusing to buy software that can't be shown to have been designed well -- what other industry is so secretive about aspects of such fundamental importance? Governments and regulators can help by the forced open-sourcing of any portion of software sold to the public and subsequently found to be insecure. Shrinkwrap licences that offer reparation for security breaches caused by failures in the software would also concentrate the designers' minds. Draconian measures surely, and offered partly tongue-in-cheek, but what is the alternative?

Microsoft has failed to live up to its own promises. It cannot complain if others now fix the problems so created.

Editorial standards