[ISN] Seeking signs of Microsoft security push

From: InfoSec News (isnat_private)
Date: Tue Mar 05 2002 - 00:16:33 PST

  • Next message: InfoSec News: "[ISN] Internet-based Counterintelligence against the CIA"

    By Robert Lemos 
    Staff Writer, CNET News.com
    March 4, 2002, 6:45 AM PT
    Five weeks after Bill Gates rang an alarm over security lapses in his
    company's software, people are still waiting for real evidence that
    Microsoft has substantially refocused its priorities.
    Microsoft has released some tools to help developers and customers add
    more security to their systems and has made much ado about retraining
    its developers during a security crash course that lasted all of
    February. But customers are still waiting to see if the company has
    made a fundamental shift in philosophy, said Alan Paller, director of
    research for the Systems Administration Networking and Security (SANS)  
    "We have no data anywhere in the field about any (security)  
    improvement on any product," he said. "That's not saying that nothing
    is better, but just that we can't judge yet."
    On Thursday, Microsoft acknowledged that it wouldn't ship Windows .Net
    Server until the latter half of 2002. One of the reasons, a
    representative for the software titan said Friday, was to allow the
    development team to further tighten security.
    Other efforts also indicate that Microsoft is working to secure its
    products. In January and February, the company retrained more than
    9,000 developers, product managers and testers in how to build
    security into their products. At the RSA Data Security conference last
    month, the company showed off a program to scan for known
    vulnerabilities in its products.
    The initiatives follow a mid-January memo from Gates, Microsoft's
    chairman, exhorting employees to make the company's products more
    trustworthy and to incorporate not just more security, but also more
    consumer-oriented handling of data. In the past, a similar
    message--sent to redirect the company's energy to Internet development
    and to undermine Netscape's browser leadership--led to a fundamental
    shift in Microsoft's strategy.
    Another such shift may already be happening, said Marc Maiffret, chief
    hacking officer for network protection company eEye Digital Security.
    Maiffret maintained that a change in Microsoft's philosophy would be
    evident if the software giant released a string of advisories on
    security holes that it found itself. Though such notices are generally
    bad for the company's image, he argued that notifying customers of any
    issues it patched would be showing that the company cared more about
    security than image.
    Recently, the Redmond, Wash.-based company did just that.
    "There was one advisory where they had found the flaw themselves,"  
    Maiffret said. "I don't know that one means that they are being that
    proactive. But if they continue to make (flaws) public, that could
    indicate that another fundamental shift is under way."
    Although the software giant's delay in releasing Windows .Net Server
    could also indicate a shift, the SANS Institute's Paller stressed that
    there was no way to judge whether the company really was adding a lot
    of security to the server operating system or merely pulling off a
    good marketing maneuver.
    "If I needed to delay a product and I wanted to avoid negative PR,
    that's what I would say as well," Paller said.
    In fact, for Microsoft--a company noted for its inability to keep a
    deadline--the excuse could be used often.
    "I bet every delayed product this year will be due to security
    concerns," Paller said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 04:20:38 PST