[ISN] Microsoft developers feel Windows pain

From: InfoSec News (isnat_private)
Date: Thu Feb 07 2002 - 22:50:11 PST

  • Next message: InfoSec News: "[ISN] Microsoft Recalls Botched Browser Security Patch"

    By Robert Lemos 
    Staff Writer, CNET News.com
    February 7, 2002, 1:45 PM PT
    [On the surface this looks like more Microsoft PR blowing smoke up
    everyones collective asses, Having Microsoft's security-assurance
    group teach security to Microsoft programmers is akin to the blind
    leading the blind. If Microsoft was really concerned with security,
    they would be hiring the likes of George Guninski, Rain Forest Puppy,
    the boys and girls at eEye, etc. for some serious lessons on secure
    programming.  - WK]
    Microsoft's security-assurance group has become the software giant's
    taskmaster for the next month.
    Under a new push to secure software code and convince customers that
    security is a top priority, Microsoft is putting its Windows
    developers, testers and program managers through a crash course in
    secure programming.
    Over the next month, the software giant's security-assurance group
    expects the training to pay off as more than 70 developer teams audit
    the various software components that make up Windows XP and the
    upcoming Windows .Net server operating systems.
    "This is an extremely serious and encompassing effort for us," said
    Steve Lipner, director of security assurance for Microsoft and a lead
    manager in the effort. "We are going to get a lot of testing done. We
    are going to have a lot of people who are really, really hard-core
    about security distributed throughout the organization, and that's
    going to change how products get built in the future."
    What isn't clear is how the massive effort will affect Microsoft's
    bottom line, because product groups will be busy learning about
    security--but not building products. Microsoft executives said the
    time needed to examine security issues has been built into product
    delivery schedules.
    The effort comes in the midst of Microsoft's push to develop a secure
    and simple infrastructure to deliver e-business services, known as
    .Net. The software titan's ability to keep such a critical
    infrastructure out of harm's way has been questioned every time a
    security slip or new glitch is discovered.
    Those slips have been frequent. In December, a flaw in the universal
    plug-and-play component of Windows XP placed consumers--especially
    those on high-speed cable networks--in danger of being hacked. Then,
    in January, five days of problems with the company's Windows Update
    service had critics wondering whether the company could deliver on a
    project as complex as .Net.
    That prompted company Chairman Bill Gates to endorse a new security
    initiative in a companywide memo in mid-January. In the e-mail, Gates
    called for employees to put security first, urging them to help the
    company make its .Net infrastructure for future Web services a
    platform for trustworthy computing.
    "When we face a choice between adding features and resolving security
    issues, we need to choose security," he wrote. "Our products should
    emphasize security right out of the box, and we must constantly refine
    and improve that security as threats evolve."
    The pledge has kept Microsoft's security-assurance group busy. For the
    last two weeks, anyone who has contributed code to the Windows XP and
    Windows .Net server CDs has been stuffed "cheek by jowl" in classrooms
    for training, Lipner said.
    Back to basics
    Yet, training is only the first step, stressed Michael Howard, program
    manager for Microsoft's Secure Windows Initiative.
    "The training is only one facet of what is happening," he said.
    To keep the momentum rolling, after each team finished training, it
    had to draw up a plan of action for completing a review of any piece
    of software for which the group was responsible. In total, Howard and
    his group have received more than 70 plans detailing what teams are
    going to do throughout February to secure their piece of the Windows
    operating system.
    "Every group that contributes to the CD has drawn up a plan to
    mitigate security risks," Howard said. Key to the plans is a measure
    of success--how the groups will know when they are done, he added.
    The plans put program managers--the designers and big thinkers for
    Microsoft's software--in the spotlight as well, Howard said. As part
    of the security initiative, every manager has to justify not only the
    group's programming decisions, but how the software is configured as a
    component of Windows.
    Program managers are being asked, "Are 90 percent of your users using
    this feature? If not, then you better have a good reason for enabling
    that feature by default," Howard said.
    The goal is to make an everyday user's computer secure by default, he
    said. "Not everyone needs IIS (Microsoft's Web server) by default," he
    said. "Not everyone uses Index Server by default. So today, those
    features are turned off by default."
    In addition, program managers must create a definite plan to phase out
    older components of Windows that are merely provided for backwards
    compatibility. Such components are frequently the source of security
    problems, Howard said.
    Code modified by the new security initiative will be incorporated into
    Windows .Net Server when it ships, and into Windows XP via Service
    Pack 1, Howard said.
    Security scrutiny
    Other products have already undergone scrutiny from a security
    Office XP, for example, underwent several months of security
    skepticism before Microsoft released it last June, Lipner said.
    And Visual Studio.Net, Microsoft's platform for developing
    applications for its next-generation Internet services, was subject to
    a detailed security analysis in December.
    "We beat the hell out of the product for a long time to make sure
    there weren't any holes that could help people get into the system,"  
    said Tom Button, corporate vice president of developer tools
    Adding security to Visual Studio.Net is central to Microsoft's
    Trustworthy Computing initiative as developers, some with little or no
    experience building secure software, will be using the tool to create
    programs for e-business, Button said.
    Microsoft hopes the consistent mantra of "security, security,
    security" will push developers--both inside and outside the
    company--to build security into their products, eliminating the need
    to repeat the monthlong review.
    "If we did February and February alone, the initiative would fizzle
    out," Howard said.
    Yet, while lauding Microsoft's endorsement of security, critics and
    rivals question whether the giant can deliver.
    "It's going to be difficult," said Mary Ann Davidson, chief security
    officer for database maker Oracle. "It is a good thing they are doing
    this, and it will be good for the industry. But directing corporate
    culture of any nature is like turning a battleship."
    Gates himself, in a May 1995 memo urging employees to concentrate on
    developing for the Internet, likened such efforts to turning a ship
    the size of the Titanic.
    Developer tools chief Button agreed the job is a difficult one.  
    "Working at Microsoft is a bit like herding cats," he said. "The whole
    wake-up call for the Internet was a real turning point of the company,
    and the whole security issue feels a lot like that."
    Indeed, the effort has the backing of the top management as well.
    Microsoft CEO Steve Balmer pledged that, if given a choice between
    shipping software with holes and delaying the product, he would put
    development on hold.
    Not surprisingly, Lipner echoed that sentiment.
    "We ship when the product is ready," he said. "And in this case, being
    ready means being secure."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 03:41:27 PST