Last week, I wrote about Microsoft CEO Steve Ballmer's comment, "Rest assured we will never have a gap between Windows releases as long as the one between XP and Windows Vista." My perspective was that longer release cycles often help with the security aspects of OS development, primarily because they provide more time to work on features and functions.
I received a response from a reader who has a different perspective on release cycles. The reader wrote that we might "be better off from a security \[point of view\] shipping \[OS releases\] more rapidly." The reader argues that "threats evolve quickly, and so must our responses. \[Not to imply\] that it is OK to turn out bad quality, but quick \[OS upgrade turnaround times\] give \[developers\] more flexibility to respond to changing conditions. \[On the other hand,\] it's hard to \[create\] really innovative stuff in short stages, so there also need to be some long cycles to accommodate \[the truly creative aspects of OS evolution\]."
He continues, "Here's another wrinkle to consider: If you go a long time between releases, upgrading becomes harder, and the \[end users\] stay on the old version longer. \[It seemed like\] it was going to take forever for people to migrate \[away from Windows NT 4.0.\] A lot of \[the migration delay was\] because it was a fairly long haul between NT 4.0 and Win2K, and there were a lot of changes \[including\] a whole new \[user interface\], a whole new administration model, etc. \[Because of such dramatic differences, end users kept using\] the old \[OS\] longer, which isn't good for security. \[So it appears that\] if we want to optimize for security, we need to shorten the upgrade cycle, not lengthen it."
The reader also offered some observations about Microsoft Office: First, Microsoft did a good job of upgrading the Office suite, including auditing the code to find faults that could have led to security problems. Because of the security focus placed on the Office suite, there weren't many vulnerabilities for roughly two years. However, the reader pointed out that a few significant changes took place in the security community in the meantime: "The attackers have a business model--vulns do sell for about $25K--and they're using some reasonably sophisticated fuzzers." (Fuzzers inject all sorts of data into applications to look for weaknesses).
The reader's opinion is that effectively all the work Microsoft did on Office bought the company about two years of time. But, because of unforeseen developments in the realms of intrusion, Microsoft could have actually used three years of time without vulnerabilities because that's how long it's taking to ready the next release of Office. Therefore, "if the release cycle of Office were shorter, they'd be in a better defensive position, but then again, \[Microsoft\] can't \[develop the really creative stuff, as seen in the new version of Office\] on a short cycle."
So there you have it: A very different perspective from the one I presented last week. My thanks to the reader (who wished to remain unnamed) for providing an argument that makes a lot of sense.