I have a bachelor's degree in computer science, and I used to make an honest living as a computer programmer before I discovered Microsoft Exchange Server. Because of my background working on spaceflight and military software, I'm intimately familiar with how hard it is to build large-scale software that has to meet stringent reliability, security, and quality targets.
Having said that, from my perspective, the Exchange team—and Microsoft overall—has come a long way in these areas during the 12 years since Exchange's introduction. This progress, particularly in security, has come about largely because of a concerted effort on Microsoft's part to do something most software companies have difficulty doing: making radical changes to their development processes to improve their product security and quality. When Bill Gates wrote his “Trustworthy Computing” memo in 2002, the idea of revamping design and development processes to incorporate security and privacy as key product elements was met with more than a little skepticism. (You can read Gates' memo at "Complete text of the Bill Gates 'Trustworthy Computing' Memo.") These changes have been expensive, and they've required some fairly deep-reaching cultural shifts at Microsoft. However, six years on, we're seeing the payoff in Microsoft's current crop of products.
That seems like a bold statement, but it's a reasonable one. If you compare the number of critical security fixes required by various products at the same point in their lifecycle (say, comparing Exchange Server 2007 at one and a half years after release with Exchange 2000 Server at one and a half years after release), or the “days of risk” caused by the gap between shipping a security bug and fixing it, you'll see that Microsoft's focus on its Security Development Lifecycle (SDL) has paid off. Take a look at Jeff Jones' security blog post for a comparison of vulnerability data in client OSs.
Comparing security statistics from different products can be tricky. After all, there are many more Exchange installations now than there were five or six years ago, and the mix—and nature—of threats has changed dramatically as well. The comparison problem gets even worse when you factor in products from multiple vendors, some of whom have a fairly lackadaisical attitude toward security fixes. (Hey, Oracle, I'm looking at you!) There's a simple way to cut through the baloney, though. Microsoft's Michael Howard expressed it well when he recounted the story of a customer he dealt with who was considering purchasing a non-Windows OS. Howard asked the customer to ask a single question of the competing vendor: "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance [that] security vulnerabilities will creep into the product in the first place? And they cannot use the word 'Microsoft' in the reply" ("The First Step on the Road to More Secure Software is admitting you have a Problem").
If you ask Howard's question of other collaboration and messaging vendors, you'll see that none of them have anything approaching the robustness or reach of Microsoft's SDL. Microsoft provides software that's more robust and more secure than we would get without the SDL.
Does this all mean that Exchange is perfect? No. It's written by humans, and humans make mistakes and bad decisions from time to time. Next week, I'll delve into some areas where Exchange can use improvement—send me your suggestions to paul.robichaux@windowsitpro.com.
Microsoft late Tuesday made changes to its Windows Genuine Advantage (WGA) Notifications anti-piracy service in Windows XP, a change that should begin appearing on users' desktops over the next few months. The company says it made the changes in order ...
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Register
