I have a bachelor's degree in computer science, and I used to make an honest living as a computer programmer before I discovered Microsoft Exchange Server. Because of my background working on spaceflight and military software, I'm intimately familiar with how hard it is to build large-scale software that has to meet stringent reliability, security, and quality targets.
Having said that, from my perspective, the Exchange team—and Microsoft overall—has come a long way in these areas during the 12 years since Exchange's introduction. This progress, particularly in security, has come about largely because of a concerted effort on Microsoft's part to do something most software companies have difficulty doing: making radical changes to their development processes to improve their product security and quality. When Bill Gates wrote his “Trustworthy Computing” memo in 2002, the idea of revamping design and development processes to incorporate security and privacy as key product elements was met with more than a little skepticism. (You can read Gates' memo at "Complete text of the Bill Gates 'Trustworthy Computing' Memo.") These changes have been expensive, and they've required some fairly deep-reaching cultural shifts at Microsoft. However, six years on, we're seeing the payoff in Microsoft's current crop of products.
That seems like a bold statement, but it's a reasonable one. If you compare the number of critical security fixes required by various products at the same point in their lifecycle (say, comparing Exchange Server 2007 at one and a half years after release with Exchange 2000 Server at one and a half years after release), or the “days of risk” caused by the gap between shipping a security bug and fixing it, you'll see that Microsoft's focus on its Security Development Lifecycle (SDL) has paid off. Take a look at Jeff Jones' security blog post for a comparison of vulnerability data in client OSs.
Comparing security statistics from different products can be tricky. After all, there are many more Exchange installations now than there were five or six years ago, and the mix—and nature—of threats has changed dramatically as well. The comparison problem gets even worse when you factor in products from multiple vendors, some of whom have a fairly lackadaisical attitude toward security fixes. (Hey, Oracle, I'm looking at you!) There's a simple way to cut through the baloney, though. Microsoft's Michael Howard expressed it well when he recounted the story of a customer he dealt with who was considering purchasing a non-Windows OS. Howard asked the customer to ask a single question of the competing vendor: "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance \[that\] security vulnerabilities will creep into the product in the first place? And they cannot use the word 'Microsoft' in the reply" ("The First Step on the Road to More Secure Software is admitting you have a Problem").
If you ask Howard's question of other collaboration and messaging vendors, you'll see that none of them have anything approaching the robustness or reach of Microsoft's SDL. Microsoft provides software that's more robust and more secure than we would get without the SDL.
Does this all mean that Exchange is perfect? No. It's written by humans, and humans make mistakes and bad decisions from time to time. Next week, I'll delve into some areas where Exchange can use improvement—send me your suggestions to [email protected].