Share via

Windows the MOST secure OS .... Look out applications! (...And Introducing Design Fors!)

  • Article

My colleague, Beth Patton, makes a very interesting point about the impact of improving OS security.  For the second half of 2006, Symantec rated Microsoft as having less vulnerabilities and a faster patch time than the other most commonly used operating systems, Red Hat Linux, Apple's Mac OS, Sun Solaris, or HP-UX.  Moreover, analysts are finding that Windows Vista security is "considerably better than XP"

Beth's observation about the impact of a more secure OS:

Because the OS is getting more secure, then the next area for exploiters to target is the third party applications that are running on the OS. It will be more important than ever for organizations to have strong software development practices that have serious security focus in their design, coding, and reviews, as well as the tools that their developers use (such as Visual Studio).

Right on the money, Beth.  It's not a new area of concern, but it's one that continues to become more important.  MSDN has secure coding guidelines here

Secure coding guidelines is a technical topic, and if you've read this blog before you know I usually focus on the business end of things vs. the technology end.  No, I'm not changing that pracice -- application security is a very serious business issue, and for S-OX compliance auditors are definately looking at this.  Beyond the compliance angle, it's a matter of trust with your customers, partners, and employees.  

Many manufacturing companies follow a Design For Six Sigma in their product development processes.  A good thing.  I propose a series of "Design Fors..."  that IT shops should follow when building applications: 

    1. Design for Security.   Have and follow secure coding practices / security development lifecycle, and deploy on secure platforms. If you have to, create extra, burdensome manual processes and reviews to ensure security is where it needs to be.  Of course, a MUCH better approach is to have tools that help you bake security into your standard way of working by default, like you can with MSF and Visual Studio Team System.   

      Whatever you have to do, this type of quality is not optional.  This is not a technology issue.  This is a matter of business reputation and customer/partner relationships.  It's an opportunity for IT to show some real "business" leadership for the enterprise.  
       

    2. Design for User Experience.   For consumer and partner-facing applications, this is a significant competitive advantage because it helps you "connect" with your consumers/partners in ways that are meaningful to them.  This goes beyond creating an emotional connection with visuals and interaction models.  IMO, the goal should be creating utility for consumers in the classic microeconomic sense of the term.  In other words, the more value they get from your application the more they want to use it.  Rocket science?  No.  But how do you actually maximize the value for consumers/partners?  Think about how you fit, or could fit, into their lives and the goals people want to accomplish.  Think broadly.  More is possible every day, and there are tremendous opportuntities around every corner for companies to enable their consumers/partners.  Whether they consiously realize it or not, many companies make their businesses within one small part of a large customer process.  When I'm trying to decide if I should stop at 7-11 or Kroger or Safeway or Meijer for milk on the way home from work, I'm not shopping -- I'm commuting, and I'm liable to pick the store that will get me on way fastest even if the milk is more expensive.  Serve me like a commuter (help me get in/out faster), and I'll shop at your store.  Can IT help with this?  Absolutely. 

      For internal applications, the story is basically the same.  Designing for User Experience is still a significant competitive advantage.  Provide people greater, holistic, total value, and they will make your company more successful.  Applications are often designed at the scope of the new functionality that is getting added.  In many companies, if a department needs a new report, and there's a standard for creating reports, the approach of IT shops is often to just create the report and leave it at that.  But what if the users of the report need to copy/paste the data into excel, do some analysis, email the spreadsheet around to get input from others, import it into an Access database, create a new report, then email it to someone else asking for approval, and then go back to the original system and add some new data?  The entire process could be streamlined with better information controls and insight into process execution by pulling the data into sharepoint and excel services, using workflow to notify others to get their comments and manage the approval processes, and perhaps even execute update processes, as well.  Technology today can bring appropriate levels of order to significantly improve the semi-structured processes that make up MOST of what information workers do during their work days.  

      I haven't spent much time on blogging on this yet, but one element I'll expand on in a future post is context sensative application behaviors -- a very powerful approach for creating applications that helps make people more effective as they pursue their goals. 

      Bottom line, if you're helping people interact with information in the natural flow of their work (when the need it, where they need it, how they need, in the context they need it), then you're probably enabling them with a great design. 

      BTW #1, for the thoughts of a "real Designer", check out Chris Bernard's blog.  I have ideas about design based on my experiences finding better ways to do things -- especially around what it means to make life better for people vs. simply making things "pretty".  Chris has many more ideas, and likely better ones, too, gained from good-old-fashioned profesisonal experience and designer leadership to back them up! 

      BTW #2, Here's a great interview with Jenny Lam, the Creative Lead for Windows Vista, talking about the power and importance of experience in design: https://channel9.msdn.com/playground/wpfe/videolibrary/default.html#8.  (And when you're watching the video, notice how resizing the browser window can resize the video player embedded in the web page thanks to the magic of WPF/E!)

    3. Design for Insight.   When you're creating applications, one of the most important things you can do is to build in "listeners" to understand how people are using your applications.  This is also a great way to learn how to make your applications better.  You can find and fix root cause issues far more effectively, and you can gain tremendous insights into where people spend their time -- either because of the great value they get, or because of the great burden they face at some critical step.  And like Design for User Experience, the same principle holds for internal and customer/partner facing applications. 

So, those are the three "Design Fors" that I popped into my head tonight.  What did I miss?  Would you propose other "Design Fors"?

Comments

  • Anonymous
    April 11, 2007
    Started reading when applying for a software job in order to formalise my thoughts.  Soon emailed it around a few friends.  Good ideas and writing!