I don’t think anybody expects Microsoft’s forthcoming Vista release of the Windows operating system to be without its blemishes and flaws. No operating system is perfect, as the coders and executives at Microsoft have come to realize all too clearly. For Microsoft, security has been an especially acute problem, as evidenced by the endless stream of fixes that emanate from Redmond on Patch Tuesdays.
Still, Microsoft has made a determined, sustained effort to improve the security of its software products. You can see the commitment is genuine, and I don’t think anybody questions that security has become a paramount consideration in the design, development, delivery, and support of nearly every product in the company’s portfolio.
At long last, Microsoft is realizing that the security of its products isn’t something that ought to be subcontracted or left for others to provide. As a general principle, the software products developed and sold by a vendor should be as secure as possible, and that means the vendor itself should be held to account for providing a large measure of that security.
With security now a top-level priority at Microsoft, and with the company practicing secure coding of its products and looking to acquire companies and technologies that provide additional layers of defense and protection, what does that mean for companies who made their livings by filling the gaping security holes Microsoft previously left behind?
Well, it has meant they have had to diversify, for one thing. Symantec, McAfee, Trend, and others have had to redefine what it will mean for them to be security companies in a brave new world where Microsoft actually provides products and solutions that will be relatively well secured.
This is major challenge for these companies, and as they scramble to find defense markets for future growth, they are encroaching on existing or emerging markets inhabited by other vendors, which in turn must devise strategies for their own survival and prosperity. I call that phenomenon “the Microsoft domino effect in the security market,” but the companies affected just call it trouble.
Meanwhile, security vendors must wage a defensive battle to slow Microsoft’s incursion into their territory. Since the best defense is a strong offense, and since Microsoft’s relationship to them has metamorphosed from partner to competitor, they must attack Microsoft’s security credibility at every opportunity. The idea is to make customers think twice about dropping their products in favor of the security offerings Microsoft is bringing to market.
It’s the equivalent of negative campaigning in politics, and sometimes it’s effective — for a while, and only under certain circumstances. These vendors know they’ll lose market share, but want to lose as little of it as possible while deferring the day of reckoning for as long as possible. Who can blame them?
Occasionally, though, in their fervor to defend the realm, they’ll seize on an obviously frivolous pretext, exposing their fear and loathing for all to see. Such is the case with an unprecedented series of reports Symantec has issued regarding the security of the Vista kernel. In a trilogy that won’t be adapted into a major motion picture, Symantec first examined Vista’s networking stack, then its user account-control features, and — with a final installment that arrived this week — its operating-system core. Not surprisingly, Symantec found bugs and weaknesses that could be exploited in all three areas. They didn’t find a lot of them, mind you, but they found enough to fill out their reports and attract some notice from press and analysts. That, of course, was the whole point of the exercise.
Every time Symantec issues one of these bug-hunting reports on an as-yet-unreleased operating system, Microsoft responds. Each time, the responses are similar. Microsoft points out that the Vista hasn’t been released commercially yet, that Symantec was working from a relatively earlier beta version, and that problems Symantec cites have been addressed or will be addressed before the operating system goes to market. Microsoft probably is right about its ability to address perceived breaches and squash bugs before Vista reaches market, but it’s definitely right about Symantec working from an early beta of an operating system that remains months away from being deployed anywhere of commercial significance.
It’s all a high-stakes game, folks. Symantec is just trying to create a climate of fear and confusion, one that will help keep the entirety of its ample security franchise intact and commercially productive for as long as possible.