Much of that is the because of the numerous bugs that continue to be found in Microsoft products, even those that have gone through the entire SDL process, such as Windows Vista. Although there is a general agreement that bugs are inevitable and that Microsoft's massive user base makes its products a far bigger target than rivals' products, the monthly patch releases have tarnished serious efforts to beef up security, according to analysts.
"I think they expected an overnight shift in terms of perception. It didn't happen," Kark said. "It's been more than six years, and it's only now that we are starting to see Microsoft being recognized as a company that values and understands and is responding to security issues."
Ironically, looking ahead Microsoft's biggest security challenges aren't going to be on the enterprise front but in the consumer market, said Pescatore. The SDL process that Gates' memo spawned should help Microsoft better secure enterprise products but is probably not flexible enough to deal with emerging Web 2.0 and software-as-a-service models, he said.
"What we haven't seen them say yet is, 'Here's a lighter-weight version of SDL for products on a faster life cycle,'" he said. As it begins to compete more directly with the likes of Google, Microsoft's challenge will be to show that it can do in the rapid application development arena what it has done with SDL for the enterprise market, Pescatore said.
Not everyone is convinced that either Gates or Microsoft has done enough to make its products more secure. David Rice, author of Geekonomics: The Real Cost of Insecure Software noted that while security went from being a "tertiary issue" at Microsoft in 2002 to an "ancillary issue" more recently, progress has been slow.
"Bill Gates leaves Microsoft with roughly 50 per cent of the server market, over 90 per cent of the desktop market and nearly 100 per cent of the word processing market," Rice said. "The battle for market dominance was won on Mr. Gates' watch, [but] security was placed at the end with no apparent ill effect to Microsoft but with significant negative impact to consumers," he said.
Rice pointed to continuing security issues with Vista as an example of the work that remains to be done by Microsoft and said that even today security tends to be more of a bolt-on than an integral part of Microsoft products. "Assertions like 'Trustworthy,' or Oracle's 'Unbreakable,' or McAfee's 'Total Protection' are vacuous and cheap to make, because there is little, if any, meaningful consequence when these assertions are shown to be false again, and again, and again," he said.