Microsoft Puts Meat Behind Security Push

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,561985,00.asp

By Dennis Fisher 
September 30, 2002 

Although much of the hype surrounding Trustworthy Computing has
subsided, Microsoft Corp. is quietly pushing the initiative ahead with
behind-the-scenes efforts that include an extension of its developer
training program and the possible development of additional
stand-alone security products.

But while customers give Microsoft credit for its recent efforts, some
said the company has much work to do before it reaches Chairman Bill
Gates' stated goal of making software as reliable as electrical power.

Among recent changes at Microsoft is the inclusion in every product
group of a person responsible for the security of that product's code.  
Although developers remain accountable for their code, the security
liaison is accountable for the overall quality of the product.

Each product group's security representative, in turn, reports to Mike
Nash, the vice president of the new security business unit, who is the
single point of contact companywide.

The new organizational structure is part of an effort to ensure that
customer feedback about security receives prompt attention, Nash said
last week in an interview with eWeek.

"Our customers are telling us they not only want fewer vulnerabilities
but also want us to make it easier for them to run our products in a
secure way," Nash said. "When there are problems, we're trying to
reduce the amount of friction it takes to fix them."

For customers, a more tangible result of the Trustworthy Computing
campaign is the new SUS (Software Update Service) patch management
system. The SUS is a download that enables IT managers to set up their
own Windows Update staging server inside their networks.

The server, released last week, polls the Windows Update site and
displays a list of patches and hot fixes available for specified
products. The administrator can then approve downloads, which are
delivered to the SUS server. Client machines then check the SUS server
on a regular basis and pull down the patches needed.

Users who have tested the technology say it's a move in the right
direction, but it has limitations.

"It's a decent first attempt but not great," said Andrew Nielsen, a
senior technologist with Raytheon Co. working on a contract at NASA
Ames Research Center, in Moffett Field, Calif., who is finishing a SUS
deployment. "There's a lot of room for improvement. It is what it is.  
The reporting capabilities need some work, and I had some problems
with the synchronization telling me updates were available after I had
already approved them for download," he said. "However, I'm pretty
confident that subsequent versions will be better."

The SUS server can't roll out service packs, nor can it push updates
through firewalls to "child" SUS servers set up in other locations,
Nielsen said.

Microsoft's early work on Trustworthy Computing included putting all
its developers through a lengthy training course on writing secure
code and undertaking a massive bug hunt in its millions of lines of
Windows code. The effort had an immediate effect when the Redmond,
Wash., company decided to delay the release of its key .Net Server
family, as well as a beta of the new SQL Server, because of problems
found during the code review.

The security training for developers is an ongoing process,
Microsoft's Nash said, and all new developers must go through the
program within 30 days of joining the company. Microsoft has also
developed an internal tool, roughly analogous to the Unix-based Lint
program, that looks at code constructs to find bugs and
vulnerabilities.

Nash said the company is considering developing more security products
as well to complement the Internet Security and Acceleration Server
firewall it sells. But he declined to give details on which categories
Microsoft might go after.

"If Microsoft were to do that, it would be in an area where we have
unique capabilities," Nash said.

The Trustworthy Computing initiative has also brought about a major
shift in priorities at Microsoft with regard to the way the company
deals with customer feedback, Nash said. Gone are the days when
features and functionality held sway over all other considerations in
product development.

"Responding to customer security issues is the most important thing we
do," Nash said. "It's a change. It's a clarifying thing, and it's a
cultural change."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.