Microsoft developers feel Windows pain

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-832048.html

By Robert Lemos 
Staff Writer, CNET News.com
February 7, 2002, 1:45 PM PT

[On the surface this looks like more Microsoft PR blowing smoke up
everyones collective asses, Having Microsoft's security-assurance
group teach security to Microsoft programmers is akin to the blind
leading the blind. If Microsoft was really concerned with security,
they would be hiring the likes of George Guninski, Rain Forest Puppy,
the boys and girls at eEye, etc. for some serious lessons on secure
programming.  - WK]


Microsoft's security-assurance group has become the software giant's
taskmaster for the next month.

Under a new push to secure software code and convince customers that
security is a top priority, Microsoft is putting its Windows
developers, testers and program managers through a crash course in
secure programming.

Over the next month, the software giant's security-assurance group
expects the training to pay off as more than 70 developer teams audit
the various software components that make up Windows XP and the
upcoming Windows .Net server operating systems.

"This is an extremely serious and encompassing effort for us," said
Steve Lipner, director of security assurance for Microsoft and a lead
manager in the effort. "We are going to get a lot of testing done. We
are going to have a lot of people who are really, really hard-core
about security distributed throughout the organization, and that's
going to change how products get built in the future."

What isn't clear is how the massive effort will affect Microsoft's
bottom line, because product groups will be busy learning about
security--but not building products. Microsoft executives said the
time needed to examine security issues has been built into product
delivery schedules.

The effort comes in the midst of Microsoft's push to develop a secure
and simple infrastructure to deliver e-business services, known as
.Net. The software titan's ability to keep such a critical
infrastructure out of harm's way has been questioned every time a
security slip or new glitch is discovered.

Those slips have been frequent. In December, a flaw in the universal
plug-and-play component of Windows XP placed consumers--especially
those on high-speed cable networks--in danger of being hacked. Then,
in January, five days of problems with the company's Windows Update
service had critics wondering whether the company could deliver on a
project as complex as .Net.

That prompted company Chairman Bill Gates to endorse a new security
initiative in a companywide memo in mid-January. In the e-mail, Gates
called for employees to put security first, urging them to help the
company make its .Net infrastructure for future Web services a
platform for trustworthy computing.

"When we face a choice between adding features and resolving security
issues, we need to choose security," he wrote. "Our products should
emphasize security right out of the box, and we must constantly refine
and improve that security as threats evolve."

The pledge has kept Microsoft's security-assurance group busy. For the
last two weeks, anyone who has contributed code to the Windows XP and
Windows .Net server CDs has been stuffed "cheek by jowl" in classrooms
for training, Lipner said.

Back to basics

Yet, training is only the first step, stressed Michael Howard, program
manager for Microsoft's Secure Windows Initiative.

"The training is only one facet of what is happening," he said.

To keep the momentum rolling, after each team finished training, it
had to draw up a plan of action for completing a review of any piece
of software for which the group was responsible. In total, Howard and
his group have received more than 70 plans detailing what teams are
going to do throughout February to secure their piece of the Windows
operating system.

"Every group that contributes to the CD has drawn up a plan to
mitigate security risks," Howard said. Key to the plans is a measure
of success--how the groups will know when they are done, he added.

The plans put program managers--the designers and big thinkers for
Microsoft's software--in the spotlight as well, Howard said. As part
of the security initiative, every manager has to justify not only the
group's programming decisions, but how the software is configured as a
component of Windows.

Program managers are being asked, "Are 90 percent of your users using
this feature? If not, then you better have a good reason for enabling
that feature by default," Howard said.

The goal is to make an everyday user's computer secure by default, he
said. "Not everyone needs IIS (Microsoft's Web server) by default," he
said. "Not everyone uses Index Server by default. So today, those
features are turned off by default."

In addition, program managers must create a definite plan to phase out
older components of Windows that are merely provided for backwards
compatibility. Such components are frequently the source of security
problems, Howard said.

Code modified by the new security initiative will be incorporated into
Windows .Net Server when it ships, and into Windows XP via Service
Pack 1, Howard said.

Security scrutiny

Other products have already undergone scrutiny from a security
standpoint.

Office XP, for example, underwent several months of security
skepticism before Microsoft released it last June, Lipner said.

And Visual Studio.Net, Microsoft's platform for developing
applications for its next-generation Internet services, was subject to
a detailed security analysis in December.

"We beat the hell out of the product for a long time to make sure
there weren't any holes that could help people get into the system,"  
said Tom Button, corporate vice president of developer tools
management.

Adding security to Visual Studio.Net is central to Microsoft's
Trustworthy Computing initiative as developers, some with little or no
experience building secure software, will be using the tool to create
programs for e-business, Button said.

Microsoft hopes the consistent mantra of "security, security,
security" will push developers--both inside and outside the
company--to build security into their products, eliminating the need
to repeat the monthlong review.

"If we did February and February alone, the initiative would fizzle
out," Howard said.

Yet, while lauding Microsoft's endorsement of security, critics and
rivals question whether the giant can deliver.

"It's going to be difficult," said Mary Ann Davidson, chief security
officer for database maker Oracle. "It is a good thing they are doing
this, and it will be good for the industry. But directing corporate
culture of any nature is like turning a battleship."

Gates himself, in a May 1995 memo urging employees to concentrate on
developing for the Internet, likened such efforts to turning a ship
the size of the Titanic.

Developer tools chief Button agreed the job is a difficult one.  
"Working at Microsoft is a bit like herding cats," he said. "The whole
wake-up call for the Internet was a real turning point of the company,
and the whole security issue feels a lot like that."

Indeed, the effort has the backing of the top management as well.

Microsoft CEO Steve Balmer pledged that, if given a choice between
shipping software with holes and delaying the product, he would put
development on hold.

Not surprisingly, Lipner echoed that sentiment.

"We ship when the product is ready," he said. "And in this case, being
ready means being secure."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.