Ballmer Sounds Off On Security

Ballmer said Microsoft had made "great progress" and "dramatic strides" since the introduction of its Trustworthy Computing Release Process. "We've got our best brains on it," he said, adding that Microsoft understands that security concerns impact customer satisfaction and the software giant's reputation vis-a-vis its competitors.

"In every sense, it's a defining-moment issue for us," Ballmer said. "I know we need to do better. But we're in this very challenging position where, in effect, the hacker only needs to find one vulnerability, [while] we need to keep them all out."

Ballmer admitted that there's much more work to do. He said he knows that customers want a simpler, more predictable patching process, smaller patches and better patch management tools. "We've put a lot of effort and energy into improving our patching progress, probably later than we should have. And now we're gaining speed," he said.

Microsoft is making strides in shield technologies and distributed firewalls, Ballmer added. "That's an area where we're really cranking up," he said. "We announced that we'll do a new release of Windows XP, a new release of Windows Server 2003, to incorporate some of these technologies."

Ballmer flatly rejected the notion that Linux--with its user-driven rather than vendor-driven development process--is doing a better job than Microsoft at addressing security. "We get a lot of questions. People say, 'We have a security problem; let's fix it. What's your road map for this? What about this? What about this? What about this?' " he said. "There's no road map for Linux. There's nobody to hold accountable for security with Linux. There's nobody's rear end on the line."

Ballmer also attacked the idea that an open-source model of software development produces better products. "Should there be a reason to believe that code that comes from a variety of people unknown around the world somehow will be a higher quality than people who get paid to do it professionally? I don't buy that," he said. "We have a methodology, we have an approach, we have a testing process that we know can lead to a sustained, predictable level of quality."

While acknowledging that Microsoft customers weren't happy finding four critical vulnerabilities in Windows 2003 during the first 150 days after its release, he said the release of Red Hat 6 had "five to 10 times" that number. "So I'm not saying 'Hey, boy, aren't we the cat's meow here. We've accomplished it all.' All I'm saying is it is absolutely not good reasoning to think they're going to get better security out of Linux," he said.

Gartner ITXpo attendees generally gave Ballmer the benefit of the doubt that Microsoft is working hard at addressing their concerns. "I think [Microsoft is] doing a good job," said Rahul Gupta, director of business development at Syntel, a Detroit-based IT services firm.

David Henry, director of of information services at American Cast Iron Pipe, Birmingham, Ala., said, "I think [Ballmer is] getting the message. I think he's open and understands as much as he can the user's pain."

"It's a step in the right direction," said Ashok Singh, senior manager of IT architectures at Caremark Services, a Northbrook, Ill.-based health-care prescription benefit management company.

But attendees also exhibited some skepticism. Jim Baker, applications director at Caremark, said he didn't think Microsoft would ever slow down its product development efforts to allow security management to catch up.

And Syntel's Gupta said that when all is said and done, Ballmer has no choice but to aggressively pursue security issues, with Linux gaining ground in the market. "Ballmer doesn't have an option but to go strong at security," he said, "Linux is going strong. If people start getting an option [to Microsoft products], it could be a problem."