Security Solution Providers Hopeful, But Skeptical After Gates Memo


Security solution providers said Microsoft Chairman Bill Gates' directive to the company's employees to make security a priority is a positive move for the software giant, but some were skeptical.

"That's a good idea. They haven't made it a priority in the past, and they have [security problems that are well known," said Aubrey Brown, CEO and president, Corsa Network Technology, Campbell, Calif.

Duncan Alexander, vice president and principal, Alexander Open Systems, a Lenexa, Kan.-based networking integrator, said, "Any attempt to secure Microsoft in a better manner is worth it. But it's a very political marketing move."

Chris Poulin, president and CEO of FireTower, an Internet security services firm and reseller based in Medfield, Mass., said Microsoft has routinely put function above security in its software development and he doesn't expect that to change, at least not anytime soon.

"Gates is saying, 'Let's make security a focus,' but that doesn't occur as a result of a memo -- it requires an entire change in their culture. I'm not holding my breath for hardened applications from the Cult of Bill," Poulin said.

He added that leaking the internal memo to the media, which publicized it widely, is essentially spin control and a common Microsoft tactic.

In a companywide memo, Gates called employees to focus on security rather than features in developing products. He said the initiative, dubbed "Trustworthy Computing," also would emphasize reliability and privacy.

The emphasis on security, Gates said, is critical to the success of Microsoft's .Net strategy for Web-based services.

The memo comes after several high-profile security flaps involving Microsoft software. In December, the vendor warned of serious vulnerabilities in its Universal Plug and Play (UPnP) service affecting Windows XP.

Last fall, market-research firm Gartner recommended that enterprises investigate "less vulnerable" alternatives to Microsoft Internet Information Server (IIS). Last year's damaging Nimda and Code Red worms both exploited vulnerabilities in IIS.

Roger Blohm, director of managed services at Satel, a Salt Lake City-based security provider, said he's pleased that Gates' memo draws public attention to the issue of data security.

But whether Microsoft can adequately secure its products is "a big wait and see," he said.

Vulnerabilities in Microsoft's software draw more attention than those in software from other vendors because its products are so popular, Blohm added. By focusing on security, the vendor is at the forefront of a problem that goes further than Microsoft, he said.

Chris Wysopal, director of research and development at @stake, a security-services firm based in Cambridge, Mass., said Microsoft is taking concrete steps toward security by providing managers of development teams with incentives for delivering secure products, and by creating a central security team.

"It shows they're spending money on this and not just talking about it," he said.

Rick Romkey, president of U.S. operations at Integralis, a security integrator based in East Hartford, Conn., said Microsoft can afford focus on security rather than features. But the move may hurt other software developers that don't have that luxury, he said.

"They can afford to rest on the laurels of their feature sets. Now they can take a deep breath and secure it," he said. "I don't know how the little guys can compete with that."

"My position has always been there's lots of ways to secure networks, not necessarily in the application itself," he said.