Seeking signs of Microsoft security push

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-850232.html

By Robert Lemos 
Staff Writer, CNET News.com
March 4, 2002, 6:45 AM PT

Five weeks after Bill Gates rang an alarm over security lapses in his
company's software, people are still waiting for real evidence that
Microsoft has substantially refocused its priorities.

Microsoft has released some tools to help developers and customers add
more security to their systems and has made much ado about retraining
its developers during a security crash course that lasted all of
February. But customers are still waiting to see if the company has
made a fundamental shift in philosophy, said Alan Paller, director of
research for the Systems Administration Networking and Security (SANS)  
Institute.

"We have no data anywhere in the field about any (security)  
improvement on any product," he said. "That's not saying that nothing
is better, but just that we can't judge yet."

On Thursday, Microsoft acknowledged that it wouldn't ship Windows .Net
Server until the latter half of 2002. One of the reasons, a
representative for the software titan said Friday, was to allow the
development team to further tighten security.

Other efforts also indicate that Microsoft is working to secure its
products. In January and February, the company retrained more than
9,000 developers, product managers and testers in how to build
security into their products. At the RSA Data Security conference last
month, the company showed off a program to scan for known
vulnerabilities in its products.

The initiatives follow a mid-January memo from Gates, Microsoft's
chairman, exhorting employees to make the company's products more
trustworthy and to incorporate not just more security, but also more
consumer-oriented handling of data. In the past, a similar
message--sent to redirect the company's energy to Internet development
and to undermine Netscape's browser leadership--led to a fundamental
shift in Microsoft's strategy.

Another such shift may already be happening, said Marc Maiffret, chief
hacking officer for network protection company eEye Digital Security.

Maiffret maintained that a change in Microsoft's philosophy would be
evident if the software giant released a string of advisories on
security holes that it found itself. Though such notices are generally
bad for the company's image, he argued that notifying customers of any
issues it patched would be showing that the company cared more about
security than image.

Recently, the Redmond, Wash.-based company did just that.

"There was one advisory where they had found the flaw themselves,"  
Maiffret said. "I don't know that one means that they are being that
proactive. But if they continue to make (flaws) public, that could
indicate that another fundamental shift is under way."

Although the software giant's delay in releasing Windows .Net Server
could also indicate a shift, the SANS Institute's Paller stressed that
there was no way to judge whether the company really was adding a lot
of security to the server operating system or merely pulling off a
good marketing maneuver.

"If I needed to delay a product and I wanted to avoid negative PR,
that's what I would say as well," Paller said.

In fact, for Microsoft--a company noted for its inability to keep a
deadline--the excuse could be used often.

"I bet every delayed product this year will be due to security
concerns," Paller said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.