Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Premier 100: Microsoft security czar critiques company's efforts

 

Sign up to receive Security Resource Alerts

February 25, 2003 (Computerworld) -- SCOTTSDALE, Ariz. -- Listeners praised Microsoft Corp.'s recent efforts to improve product security and patch management after hearing them described in detail by Scott Charney, the company's chief security strategist. But they agreed that Microsoft has not yet shown it can reach its own security goals.
Speaking here at the Computerworld Premier 100 conference, Charney explained how, as part of its Trustworthy Computing initiative, Microsoft has delayed the release of products such as Windows 2003 and Visual Studio .Net. That way, he said, developers who have been trained in areas such as threat modeling and penetration testing can review the software code for flaws.
The company also added two layers of security verification outside of the product groups, because having developers in the product groups be responsible for security "was like having the fox guarding the henhouse," Charney said. Now, his department and an outside firm handle "pen testing" before a product is certified for public release.
And despite complaints from some corporate users, Microsoft products will now be shipped with maximum security features turned on, Charney said.
Those moves are essential, according to Phil Dunkelberger, CEO of PGP Corp., a software security provider in Palo Alto, Calif. "Now they have a guy who is a traffic cop who does not have money at stake," he said of Charney.
Dunkelberger went on to praise the idea of shipping products with security features enabled by default. "Locking down products when they're released is good, even when faced with resistance from larger users," he said.
But he expressed disappointment that Charney didn't discuss the idea of opening up the security elements of Microsoft's products to open-source evaluation. PGP's source code is released for open-source review before it's sold commercially.
RA Vernon, chief security officer at Reuters America in New York, said Microsoft's efforts are moving "in the right direction" but "are long overdue on Microsoft's part."
Microsoft has significant hurdles to cross before it can say it has achieved its goal of "trustworthy computing," said Vernon.
"This is a major undertaking," he said. "The company has a monstrous infrastructure of products to secure. Is it doable? Yes. But in the short term, we will see a number of hiccups."
Vernon also expressed worries that before Microsoft can achieve the goals of its Trustworthy Computing initiative, "major cultural change has to take place."
Charney acknowledged that issue, specifically in relation to patch management procedures, which he characterized as "not good today at all." He said Microsoft's decentralized management approach, while "wonderful" in many respects, becomes an impediment to effective patch management. For example, the company had eight different patch installers, and some toolscan't determine whether a patch has been installed properly or not.
That, he said, will change with the release of Longhorn, the code name for the next release of the Windows operating system. With that release, which isn't expected before mid-2004 at the earliest, a single patch installer will exist.







Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
"Welcome to a special IT Blogwatch EXTRA: as Richi Jennings watches bloggers' reactions to the Russian hackers who claim to..." Read more...
"As if taxpayers needed another reason to scorn the IRS. I read yesterday that the inspector general review of several..." Read more...
Read more Security posts or See all Blogs
Feds considering changes to H-1B application process in wake of report
Exploit code loose for six-month-old Windows bug
With market meltdown, which tech firms become predator or prey?
More top stories...
The Grill: Privacy is a thing of the past, says private investigator
Report: World Bank servers breached repeatedly
Apple asks judge to make iPhone lawsuit moot
Too much junk food, too little exercise and a 24/7 tether to technology? Your body ain't happy, friend. Let us count the pains.
Instruments on the surface of Mars have detected falling snow that is likely evaporating before it reaches the planet.
One positive development stemming from the collapse of Wall Street may be a boost in interest in computer science and IT careers among students who were previously interested in financial services jobs.
Getting new software installed on Linux doesn't have to be hard, but it can differ depending on what you're installing.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
The Enterprise Search Zone
Software as a Service Zone
The Security Zone

Ads by TechWords

See your link here
From Laggard to Leader: Transforming the Data Center
From Laggard to Leader: Transforming the Data Center
Register for this complimentary webcast today!
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Quick Sizing Guide for SAS Grid Running on HP BladeSystems and EVA Storage
Download this white paper today!
(Source: HP) Designed for CIOs, IT managers, data center managers and grid computing architects seeking to improve performance, SAS Grid Computing on the HP BladeSystem c-Class helps accelerate growth and mitigate risks with a simplified, consolidated infrastructure that's agile enough to efficiently handle change. SAS Grid Manager on HP BladeSystem can lower costs through automation, virtualization and improved IT efficiency.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Business Transaction Management: Facilitating the Management of Virtual Environments
Quick Sizing Guide for SAS Grid Running on HP BladeSystems and EVA Storage
Prudential Financial protects its brand with Symantec Data Loss Prevention solutions
View more whitepapers