I have a bachelor's degree in computer science, and I used to make an honest living as a computer programmer before I discovered Microsoft Exchange Server. Because of my background working on spaceflight and military software, I'm intimately familiar with how hard it is to build large-scale software that has to meet stringent reliability, security, and quality targets.
Having said that, from my perspective, the Exchange team—and Microsoft overall—has come a long way in these areas during the 12 years since Exchange's introduction. This progress, particularly in security, has come about largely because of a concerted effort on Microsoft's part to do something most software companies have difficulty doing: making radical changes to their development processes to improve their product security and quality. When Bill Gates wrote his “Trustworthy Computing” memo in 2002, the idea of revamping design and development processes to incorporate security and privacy as key product elements was met with more than a little skepticism. (You can read Gates' memo at "Complete text of the Bill Gates 'Trustworthy Computing' Memo.") These changes have been expensive, and they've required some fairly deep-reaching cultural shifts at Microsoft. However, six years on, we're seeing the payoff in Microsoft's current crop of products.
That seems like a bold statement, but it's a reasonable one. If you compare the number of critical security fixes required by various products at the same point in their lifecycle (say, comparing Exchange Server 2007 at one and a half years after release with Exchange 2000 Server at one and a half years after release), or the “days of risk” caused by the gap between shipping a security bug and fixing it, you'll see that Microsoft's focus on its Security Development Lifecycle (SDL) has paid off. Take a look at Jeff Jones' security blog post for a comparison of vulnerability data in client OSs.
Comparing security statistics from different products can be tricky. After all, there are many more Exchange installations now than there were five or six years ago, and the mix—and nature—of threats has changed dramatically as well. The comparison problem gets even worse when you factor in products from multiple vendors, some of whom have a fairly lackadaisical attitude toward security fixes. (Hey, Oracle, I'm looking at you!) There's a simple way to cut through the baloney, though. Microsoft's Michael Howard expressed it well when he recounted the story of a customer he dealt with who was considering purchasing a non-Windows OS. Howard asked the customer to ask a single question of the competing vendor: "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance [that] security vulnerabilities will creep into the product in the first place? And they cannot use the word 'Microsoft' in the reply" ("The First Step on the Road to More Secure Software is admitting you have a Problem").
If you ask Howard's question of other collaboration and messaging vendors, you'll see that none of them have anything approaching the robustness or reach of Microsoft's SDL. Microsoft provides software that's more robust and more secure than we would get without the SDL.
Does this all mean that Exchange is perfect? No. It's written by humans, and humans make mistakes and bad decisions from time to time. Next week, I'll delve into some areas where Exchange can use improvement—send me your suggestions to paul.robichaux@windowsitpro.com.
Free Online Event! Virtualization:Get the Facts! Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!
Ease Your Scripting Pains with the Flexibility of PowerShell! Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!
Latest Advancements in SSL Technology There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Maximize Your SharePoint Investment: Get Your Data Moving Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Register
