http://news.com.com/2100-1001-850232.html By Robert Lemos Staff Writer, CNET News.com March 4, 2002, 6:45 AM PT Five weeks after Bill Gates rang an alarm over security lapses in his company's software, people are still waiting for real evidence that Microsoft has substantially refocused its priorities. Microsoft has released some tools to help developers and customers add more security to their systems and has made much ado about retraining its developers during a security crash course that lasted all of February. But customers are still waiting to see if the company has made a fundamental shift in philosophy, said Alan Paller, director of research for the Systems Administration Networking and Security (SANS) Institute. "We have no data anywhere in the field about any (security) improvement on any product," he said. "That's not saying that nothing is better, but just that we can't judge yet." On Thursday, Microsoft acknowledged that it wouldn't ship Windows .Net Server until the latter half of 2002. One of the reasons, a representative for the software titan said Friday, was to allow the development team to further tighten security. Other efforts also indicate that Microsoft is working to secure its products. In January and February, the company retrained more than 9,000 developers, product managers and testers in how to build security into their products. At the RSA Data Security conference last month, the company showed off a program to scan for known vulnerabilities in its products. The initiatives follow a mid-January memo from Gates, Microsoft's chairman, exhorting employees to make the company's products more trustworthy and to incorporate not just more security, but also more consumer-oriented handling of data. In the past, a similar message--sent to redirect the company's energy to Internet development and to undermine Netscape's browser leadership--led to a fundamental shift in Microsoft's strategy. Another such shift may already be happening, said Marc Maiffret, chief hacking officer for network protection company eEye Digital Security. Maiffret maintained that a change in Microsoft's philosophy would be evident if the software giant released a string of advisories on security holes that it found itself. Though such notices are generally bad for the company's image, he argued that notifying customers of any issues it patched would be showing that the company cared more about security than image. Recently, the Redmond, Wash.-based company did just that. "There was one advisory where they had found the flaw themselves," Maiffret said. "I don't know that one means that they are being that proactive. But if they continue to make (flaws) public, that could indicate that another fundamental shift is under way." Although the software giant's delay in releasing Windows .Net Server could also indicate a shift, the SANS Institute's Paller stressed that there was no way to judge whether the company really was adding a lot of security to the server operating system or merely pulling off a good marketing maneuver. "If I needed to delay a product and I wanted to avoid negative PR, that's what I would say as well," Paller said. In fact, for Microsoft--a company noted for its inability to keep a deadline--the excuse could be used often. "I bet every delayed product this year will be due to security concerns," Paller said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 04:20:38 PST