Yukon to Ship with Features Securely Off

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1539058,00.asp

By Lisa Vaas 
February 25, 2004

In an effort to make it more secure, Microsoft Corp.'s "Yukon" version
of its SQL Server database will ship with certain features turned off,
according to Microsoft Director of Product Management for SQL Server
Tom Rizzo, in Redmond, Wash.

Rizzo said that, while it's too early to say exactly which features
will be turned off, core functionality features will be left on in
order to ensure that getting the database running out of the box won't
be a nightmare. "We don't want you to go to install it and find it
won't work out of the box," he said.
 
Microsoft engineers are also working to ensure that customers won't
have to go through painful gyrations to turn on the turned-off
features. "New functionality - extensions and things that make the
server even better—we'll turn off by default, but we'll make it easy
to turn those back on. We don't want customers to say, 'Hey, I like
XYZ feature, but I have to go through this nightmare process to turn
it on.'"

There are signs that the second beta of "Yukon" (which is the code
name for Microsoft Corp.'s update of its SQL Server database),
originally expected in late spring or early summer, is already well on
its way.

While Beta 1 is a closed beta for past testers and certain customers
only, Beta 2 will be public, and people interested in Yukon will be
able to participate in Microsoft's Customer Preview Program.

While customers await Yukon, however, SQL Server itself has been
getting more secure, Rizzo said. Microsoft has been spending extra
money on security, as executives acknowledged during the company's
second-quarter financial conference call, with much of the funds
getting pumped into educating developers and customers.

One security-related educational venture has been the recent launch of
the new Security Guidance Center on Microsoft's TechNet site. Launched
about two weeks ago, the Center is a portal for all things
security-related that might concern SQL Server customers.  
Security-related funds are also going to other initiatives, including
Webcasts, written articles and other educational ventures for outside
partners and customers, Rizzo said.

Rizzo also pointed to Microsoft's automated Baseline Security Analyzer
tool as proof that the company is helping customers to secure SQL
Server. Released some two years ago, this free tool seeks out
unpatched Windows systems and applications on networks, then tells
users what they need and where to find patches. Finally, the company
is aiming to come out with a SQL Server-specific update feature
similar to its current Windows Update, which notifies users when
patches or drivers are available, though a release date has yet to be
determined.

Customers are clamoring for such a feature in hopes that it could
protect them from catastrophes such as that wrought by Slammer.  
Slammer, a SQL Server worm that brought down the Internet some 13
months ago, preyed on machines that lacked a patch that had been
available for some time. As a result, many small to medium-sized
businesses with small and/or overworked IT staffs voiced need for some
help with patch management.

Microsoft's security efforts have borne fruit. For example, SQL Server
2000 has only had one critical alert since Service Pack 3 shipped over
a year ago.

For its part, Yukon is being designed using a three-part process.  
First, Microsoft sends program managers, developers and testers
through security training so they'll understand what the most common
types of flaws are in developers' code. Such common flaws include
opening ports, buffer overruns and integer overruns, Rizzo said.

Next, as product features are being designed, product managers follow
a ritual of asking security-related questions about the feature, such
as, what's the security of this feature? Does it open ports? And, is
it vulnerable to injection attacks?Only then are developers free to go
off and build a given feature.

The third leg of security comes in with the use of automated tools
that scan each line of code, plucking out commonly made mistakes. Such
automated tools are a help. Line-by-line, manual code analysis was
performed on SQL Server 2000 and 7.0—a process that took some three
months, Rizzo said—back when Microsoft's security push resulted in
Service Pack 3.

Microsoft has also been staffing up its SWAT teams, which consist of
ethical hackers who try to crack Yukon and other SQL Server versions.  
Rizzo said that recently Microsoft added "a whole bunch" of ethical
hackers to the SQL Server team but declined to name how many new
staffers were brought on-board.

"Of the 1,000 people who work on SQL Server, security's top of mind,"  
he said. "Even though we have a SWAT team, everyone's on the SWAT
team."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.