'Trustworthy' plan plods uphill

Wednesday will mark the one-year anniversary of the day that Bill Gates decreed, via a companywide memo, that "Trustworthy Computing" would be the highest priority for all the work Microsoft Corp. employees do (see story).

Plenty of hurdles still lie ahead for Microsoft as it tries to strike the proper balance between ensuring the security of its software and pushing out the sort of innovative, increasingly scalable and more complex products it needs to keep its business thriving.

"There is always a trade-off between new functionality and security exposures, and a perfect example of that is BSD," said Andre Mendes, chief technology integration officer at the Public Broadcasting Service, referring to the BSD Unix operating system. "It is fairly secure, but it is also fairly devoid of any but the simplest of operating system functionality."

Craig Mundie, chief technical officer of advanced strategies and policy at Microsoft, likened the technological challenge Microsoft faces to "chasing a rocket ship."

"We continue to scale up the capability of the systems. As they get bigger and bigger, complexity mounts, and to some extent, those things all work against the idea that, well, can we really get this thing stabilized and improved?" Mundie said. He said he worries about maintaining the balance "between having to make the product and the business go forward and trying to lock it all down."

"If things weren't moving, it would be easier," Mundie said. "But they have to keep moving, or there would be no business."

Looking at it from a business management standpoint, he noted the challenges the company faces in coming up with audit measurements to ensure that "the effort doesn't dissipate," especially since it could take 10 to 20 years to achieve technological success. Yet another problem is the testing issues the company confronts when it decides that it needs to make a security fix that will affect a system as large as Windows, Mundie said.

Several IT managers said they think Microsoft's Trustworthy Computing progress should be judged based on the number of vulnerabilities they see in future releases. But many customers may continue to use older products that haven't been the focal point of Microsoft's security push.

"In the short term, I'm resigned to an increasing cycle of patches and updates to existing systems that my already overwhelmed technicians have to implement," said Paul Lanham, senior vice president and chief technology officer at Jones Apparel Group Inc. in Bristol, Pa. "I'm hoping that the next generation of products from Microsoft addresses these issues so that there is a reasonable balance between the features that customers insist upon and basic security measures in the products offered."

Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security Inc. in Aliso Viejo, Calif., said Microsoft should be devoting more attention to ridding its current products of vulnerabilities. "It seems like they're much more worried about tomorrow, which they should be. But I think today is even more important," he said.

As nice as it would be, reviews of older products may not be a realistic expectation, said Jason Fossen, a SANS Institute lecturer and president of Fossen Networking & Security, a Windows security consultancy in Dallas. "If they're fixing old stuff, there are fewer resources being dedicated to the current version," he said. "It's better to focus on Windows .Net Server and Windows XP."

Indeed, Microsoft is pinning its hopes on its newly renamed Windows Server 2003 operating system to showcase the fruits of its security labors. It shuttered Windows production for 10 weeks last year to do security training and code reviews. One big change is that the Web server and other potentially vulnerable features are turned off by default.

But Walt Smith, chief architect at a large U.S.-based financial institution, is worried that Microsoft will become "easily distracted" from its latest security efforts, which "bring them only delayed gratification in terms of revenue."

"As soon as the next killer application comes along, Microsoft will go chasing after it and forget all about making their infrastructure and product offerings robust and reliable, at least until the next security exposure," Smith said.

1by1.gif
2002 Trustworthy Computing

JANUARY

red_bullet.gif
Bill Gates issues Trustworthy Computing memo to all employees.

red_bullet.gif
Planning and curriculum development is done for Windows security review.

FEBRUARY

red_bullet.gif
Training on writing secure code begins for 11,000 employees.

red_bullet.gif
Windows division shuts down production to do threat modeling and code review.

red_bullet.gif
Visual Studio .Net and .Net Framework ship.

APRIL

red_bullet.gif
Windows production shutdown ends; implementation and testing of changes identified during the initiative continues until late 2002.

red_bullet.gif
Microsoft Baseline Security Analyzer released.

red_bullet.gif
Detailed privacy handbook, which serves as the basis for the Privacy Health Index measurement tool, is distributed companywide.

MAY THROUGH JULY

red_bullet.gif
SQL Server, Exchange, Office complete security pushes.

JUNE

red_bullet.gif
Public announcement of the work being done on Palladium, a code name for a new set of features in Windows that, when combined with new hardware, is expected to improve PC security.

red_bullet.gif
Software Update Services, a critical patch deployment tool for small to medium-size customers, is released.

AUGUST

red_bullet.gif
Windows 2000 Service Pack 3 is released.

SEPTEMBER

red_bullet.gif
Windows XP Service Pack 1 is released.

red_bullet.gif
MSN 8 launches with advanced spam prevention and controls.

red_bullet.gif
Windows Media Player 9 Series, launched in beta, includes a new privacy and security tab to give users control over personal information.

NOVEMBER

red_bullet.gif
System Management Server Feature Packs are released.

red_bullet.gif
Improves security response communications by updating severity rating system and producing consumer security bulletins.

DECEMBER

red_bullet.gif
Microsoft Baseline Security Analyzer Version 1.1 is released.

red_bullet.gif
Second edition of "Writing Secure Code," by Microsoft employees Michael Howard and David LeBlanc, is released.

Source: Microsoft Corp.

1by1.gif

Security Focus

Mike Nash, vice president of Microsoft's security business unit, said the company's Trustworthy Computing "journey" has so far included the following efforts:

Secure by Design: Reduce the number of vulnerabilities in products from a design and implementation perspective.

blue_square.gif
2002: Trained more than 11,000 employees on what it means to design and write secure code, made developers accountable for security and released security-focused service packs for Windows XP and 2000.

Secure by Default: Reduce the attack surface area by shipping software with potentially vulnerable components disabled.

blue_square.gif
2002: Turned off vulnerable features, such as the Web server, in Windows Server 2003, and changed share permissions in Windows XP via Service Pack 1.

Secure in Deployment: Supply tools, documentation and guidance to empower users to protect their environments.

blue_square.gif
2002: Released the Software Update Services critical patch deployment tool, made automatic update feature available to Windows 2000 users, released Microsoft Baseline Security Analyzer and introduced prescriptive documents for Windows 2000 and Exchange Server.

Communication: Share information with customers and security professionals.

blue_square.gif
2002: Instituted a new severity rating system and added consumer security bulletins.

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon