The software industry needs to put improved security and reliability first

Blame it on that nebulous concept called Internet time or blame it on the need to sustain and increase revenue, but the software industry is on an ever-faster product release cycle. Vendors claim they're responding to customer requests and requirements with new releases, but new bells and whistles are the last thing most companies need.

Losing Ground
Many midsized and large organizations have installed working copies of every version of Windows, not to mention various application releases. Because most businesses operate with a mix of software releases, keeping up with the current release and establishing a standardized computing environment are almost impossible. By the time a company assembles a software deployment team, assesses the software's requirements, inventories hardware and software available to perform the rollout, plans the rollout strategy, and executes the rollout, the organization is already a version behind the current release.

In a recent IDC survey, respondents indicated that 50 percent or fewer of their systems were run-ning Windows 2000. This revelation comes on the eve of the Windows .NET Server (Win.NET Server) release and 2 years after the release of Win2K. In this kind of mixed environment in which each OS has different security exposures, security and software stability become crucial challenges.

Acceptable Bugs
Given the software industry's tendency to push software out the door, a "good enough" mentality permeates today's development methodologies. No software development project strives to fix all known bugs or plug existing security holes. Instead, the industry focuses on features to attract new sales. In fact, the acceptable software defect rate is approximately 15 bugs per 1000 lines of code. Consider this ratio in relation to Win2K, which contains 50 million lines of code. If Microsoft had met the accepted industry standard, Win2K would have shipped with 750,000 bugs. In all fairness, Microsoft's development effort is probably much better than the industry average.

To its credit, Microsoft has acknowledged this situation with its Trustworthy Computing campaign, which strives to make computing "as available, reliable, and secure as electricity, water services, or telephony." Following the announcement of the initiative, Microsoft Chairman and Chief Software Architect Bill Gates quickly distributed a memo informing employees to place security at the top of their agenda and thought processes. The end result was a somewhat melodramatic month-long suspension of new development so that the company could concentrate on addressing code quality. Although a step in the right direction, the Trustworthy Computing initiative and a temporary break in new development aren't enough. As the continuing stream of security alerts and bug reports attest, a 1-month effort won't fix the problem. However, the first step to fixing a problem is recognizing it exists, and Microsoft is certainly aware of the problem.

Given the fact that many businesses are still coping with the Win2K upgrade and others are just now running on the Win2K platform, the industry doesn't need another version of Windows server software. Instead, Microsoft needs to dramatically raise the bar in software quality. Win.NET Server provides Microsoft with the perfect opportunity to slow down the OS release merry-go-round and make good on the company's lip service to Trustworthy Computing. The most compelling upgrade scenario is one that provides a new level of security and reliability. Come to think of it, wasn't better security and reliability the initial mission of Windows NT?