Corporate Image: Security Sells

Some companies are so serious about security, they try to make it part of their corporate image

A little short of three years later, Microsoft is still hesitant to portray itself as now trusted and secure. The company talks about security, sure. Windows XP Service Pack 2, says Microsoft's Miller, is promoted "because Microsoft feels that it provides better protection for its customers." But Trustworthy Computing itself is still a long way from victory.

In fact, says Chief Security Strategist Scott Charney, who describes the initiative as "very much a work in progress," Microsoft has had to apply strong-arm tactics to software vendors who have built Microsoft technologies into their products: They are not to make claims that aren't yet matched by the reality that Gates wants to see. "We've told vendors not to put out advertisements saying that you can have a secure environment on a Microsoft platform, because we're just not there yet," says Charney.

Nor will those vendors be making such claims anytime soon. According to Charney, Trustworthy Computing is a root-and-branch reform of the way the company conceives, designs and codes its products. Some practices were probably long overdue: a central database logging every alteration to a product's code, for example. But the biggest transformation has been the decision to adopt what Charney describes as a "security development lifecycle"building security into a product from conception, rather than through repeated testing and debugging.

"We've changed the way that we develop code: We first develop threat models that look at how that code might be attackedand then we build responses to those threats into the code," he says. "It's systemic, rather than trying to fix individual bugs."

No product has yet gone through the whole process, but Charney offers some evidence that products being released today (which have gone though at least part of the process) have a much improved security performance. Windows Server 2000, for example, had 42 distinct security flaws announced in the first year of release. Windows Server 2003, however, had just 14. That's a data point that might show the way to a transformed brand and image for a company that sorely needs to get the security religion.OnStar Sells Peace of MindIf you're going to set up in business as a guardian angel, you'd better be a guardian angel that people trust. That, in a nutshell, is the brand challenge facing OnStar, the in-car, cell-phone-based driver assistance service. Lost and confused, in an auto wreck, broken down or needing any other kind of assistance? Press the OnStar button in your car and a friendly voice will answer, ready to assist you.