Exchange ready to test secure code development in real world

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0627trustmicrosoft.html

By John Fontana
Network World Fusion
06/27/03

When Microsoft completes development of Exchange 2003 next week it 
will not only be the end of a three-year effort but the beginning of a 
real-world gauntlet to test Microsoft's promise to develop more secure 
code. 

The company next week is releasing Exchange 2003 to manufacturing, 
which means CDs will be burned and made available to customers in the 
coming months. Microsoft also will announce pricing and licensing. 

The software is only the second major server behind the April release 
of Windows 2003 that Microsoft has developed under the Trustworthy 
Computing banner, which chief software architect Bill Gates hung out 
in January 2002. 

Gates vowed to make security a top priority when developing code, 
trumping Microsoft's infatuation with feature bloat. After Gates’s 
declaration, Microsoft developers set aside work for two months to 
learn what it takes to write secure code. 

While the move was well hyped, the proof is in the software and 
Exchange 2003 is the test case scenario.

While the Exchange server hasn't been a high profile target, its 
Outlook client has been a hacker's playground. New server features, 
however, such as allowing direct client connections to the server over 
HTTP, could potentially open up avenues for malicious activity and the 
Exchange team is bent on closing holes. 

"How we know quality is there is very subjective, part of it is your 
gut," says Betsy Speare, Exchange 2003 release manager, who oversaw 
daily staff meetings and code builds. "The question is what are your 
development motivators. If they are around ship dates you won’t make 
the same decisions compared to your responsibility being the quality 
of the software." 

The beginning Speare's gut feeling began in March 2002, when the 
450-strong Exchange team, including 175 developers and 175 testers, 
took eight weeks off for its Trustworthy Computing lesson. Once back 
to business, the focus was on code reviews, which are done for every 
new feature added, and threat analysis on such Exchange components as 
the message store, transport, and Active Directory integration, 
according to Simon Attwell, Exchange security program manager. The 
Exchange team used tools developed by Microsoft Research to 
automatically check code for known vulnerabilities such as buffer 
overflows. The tools churned through the code at each "build" and 
updated an issue tracking system. Attwell says the process was a 
welcomed change to the manual one used during the development of 
Exchange 2000. 

Other processes also were done differently, says Speare. There was 
more upfront planning to establish development criteria and 
milestones, which led to the elimination of the typical 
round-the-clock marathons in the last week before a final release, she 
said. 

"Planning gave us time to make better decisions along the way," says 
Speare.

Microsoft also had its 53 Joint Development Partners deploy some 
170,000 seats of Exchange 2003 as compared to 80,000 during 
development of Exchange 2000. Every five weeks JDP customers and 
Microsoft’s Operations Technology Group (OTG), the internal IT 
department, got a new version of the code after it passed a couple of 
weeks of uptime in Microsoft’s "dog food" testing lab. 

The company also polled feedback from its own end-users once OTG had 
Exchange 2003 running live in November. It was the first time the 
company had polled end-users during development and the process was 
done every week until launch. 

Also in November, Microsoft prepared for the release of its first 
beta, which shipped in January 2003. Exchange testers spent three 
months checking features against established release criteria. 

In February and March, with the feature set complete, development 
ceased and the focus was on finding and fixing security issues. It was 
the first time ever such a process had been initiated in the 
development cycle. 

Independent security testing firm @stake, which works with four of the 
top 10 software vendors, was brought in to do two-weeks of penetration 
testing, including close scrutiny of possible vulnerabilities in 
client connections. 

Chris Wysopal, director of research and development for @stake said 
his team found about 30 bugs and made two recommendations to meet 
Microsoft’s "secure by default" criteria, including changing a default 
so the only open RPC port was the one used by Outlook to talk to 
Exchange. 

Microsoft followed with its own internal security task force review 
during March.

The Exchange team spent from late March to mid-May on 1,000 release 
criteria tests, a series of scenario-based tests such as deploying 
public folders in a clustered environment with a diverse set of client 
access options. There was also another three-week test period with JDP 
customers and Microsoft’s OTG before the first release candidate was 
shipped on June 2. OTG continued with its testing up until the code 
was released to manufacturing. 

"We are feeling very confident about this product," says Microsoft’s 
Attwell.

Confidence and a battery of new secure development techniques not 
withstanding, the real testing in set to begin on the customer 
gauntlet. 

The pricing of the base server has not changed compared to Exchange 
2000. The Standard Edition is priced at $699 per CPU and is targeted 
at 50 to 5,000 users. The Standard Edition will support Outlook Web 
Access, the browser client that runs off the Exchange server. The 
Enterprise Edition is priced at $3,999 per CPU and includes support 
for clustering and storage. 

The general availability of Exchange 2003 is expected to coincide with 
the release of Office 2003, which includes the Outlook 2003 client.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.