I have a bachelor's degree in computer science, and I used to make an honest living as a computer programmer before I discovered Microsoft Exchange Server. Because of my background working on spaceflight and military software, I'm intimately familiar with how hard it is to build large-scale software that has to meet stringent reliability, security, and quality targets.
Having said that, from my perspective, the Exchange team—and Microsoft overall—has come a long way in these areas during the 12 years since Exchange's introduction. This progress, particularly in security, has come about largely because of a concerted effort on Microsoft's part to do something most software companies have difficulty doing: making radical changes to their development processes to improve their product security and quality. When Bill Gates wrote his “Trustworthy Computing” memo in 2002, the idea of revamping design and development processes to incorporate security and privacy as key product elements was met with more than a little skepticism. (You can read Gates' memo at "Complete text of the Bill Gates 'Trustworthy Computing' Memo.") These changes have been expensive, and they've required some fairly deep-reaching cultural shifts at Microsoft. However, six years on, we're seeing the payoff in Microsoft's current crop of products.
That seems like a bold statement, but it's a reasonable one. If you compare the number of critical security fixes required by various products at the same point in their lifecycle (say, comparing Exchange Server 2007 at one and a half years after release with Exchange 2000 Server at one and a half years after release), or the “days of risk” caused by the gap between shipping a security bug and fixing it, you'll see that Microsoft's focus on its Security Development Lifecycle (SDL) has paid off. Take a look at Jeff Jones' security blog post for a comparison of vulnerability data in client OSs.
Comparing security statistics from different products can be tricky. After all, there are many more Exchange installations now than there were five or six years ago, and the mix—and nature—of threats has changed dramatically as well. The comparison problem gets even worse when you factor in products from multiple vendors, some of whom have a fairly lackadaisical attitude toward security fixes. (Hey, Oracle, I'm looking at you!) There's a simple way to cut through the baloney, though. Microsoft's Michael Howard expressed it well when he recounted the story of a customer he dealt with who was considering purchasing a non-Windows OS. Howard asked the customer to ask a single question of the competing vendor: "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance [that] security vulnerabilities will creep into the product in the first place? And they cannot use the word 'Microsoft' in the reply" ("The First Step on the Road to More Secure Software is admitting you have a Problem").
If you ask Howard's question of other collaboration and messaging vendors, you'll see that none of them have anything approaching the robustness or reach of Microsoft's SDL. Microsoft provides software that's more robust and more secure than we would get without the SDL.
Does this all mean that Exchange is perfect? No. It's written by humans, and humans make mistakes and bad decisions from time to time. Next week, I'll delve into some areas where Exchange can use improvement—send me your suggestions to paul.robichaux@windowsitpro.com.
A deep fear of Microsoft drove Google to create its own Web browser, the company's cofounders implicitly admitted Tuesday, though each was careful never to mention the software giant by name. Instead, during a press conference, Google's leaders discussed ...
IT Connections Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.
Attention User Group Leaders... Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
Get SQL Server 2008 at WinConnections Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Register
