[ISN] Microsoft Puts Meat Behind Security Push

From: InfoSec News (isnat_private)
Date: Tue Oct 01 2002 - 02:04:02 PDT

  • Next message: InfoSec News: "[ISN] Virus poses as Microsoft security patch"

    By Dennis Fisher 
    September 30, 2002 
    Although much of the hype surrounding Trustworthy Computing has
    subsided, Microsoft Corp. is quietly pushing the initiative ahead with
    behind-the-scenes efforts that include an extension of its developer
    training program and the possible development of additional
    stand-alone security products.
    But while customers give Microsoft credit for its recent efforts, some
    said the company has much work to do before it reaches Chairman Bill
    Gates' stated goal of making software as reliable as electrical power.
    Among recent changes at Microsoft is the inclusion in every product
    group of a person responsible for the security of that product's code.  
    Although developers remain accountable for their code, the security
    liaison is accountable for the overall quality of the product.
    Each product group's security representative, in turn, reports to Mike
    Nash, the vice president of the new security business unit, who is the
    single point of contact companywide.
    The new organizational structure is part of an effort to ensure that
    customer feedback about security receives prompt attention, Nash said
    last week in an interview with eWeek.
    "Our customers are telling us they not only want fewer vulnerabilities
    but also want us to make it easier for them to run our products in a
    secure way," Nash said. "When there are problems, we're trying to
    reduce the amount of friction it takes to fix them."
    For customers, a more tangible result of the Trustworthy Computing
    campaign is the new SUS (Software Update Service) patch management
    system. The SUS is a download that enables IT managers to set up their
    own Windows Update staging server inside their networks.
    The server, released last week, polls the Windows Update site and
    displays a list of patches and hot fixes available for specified
    products. The administrator can then approve downloads, which are
    delivered to the SUS server. Client machines then check the SUS server
    on a regular basis and pull down the patches needed.
    Users who have tested the technology say it's a move in the right
    direction, but it has limitations.
    "It's a decent first attempt but not great," said Andrew Nielsen, a
    senior technologist with Raytheon Co. working on a contract at NASA
    Ames Research Center, in Moffett Field, Calif., who is finishing a SUS
    deployment. "There's a lot of room for improvement. It is what it is.  
    The reporting capabilities need some work, and I had some problems
    with the synchronization telling me updates were available after I had
    already approved them for download," he said. "However, I'm pretty
    confident that subsequent versions will be better."
    The SUS server can't roll out service packs, nor can it push updates
    through firewalls to "child" SUS servers set up in other locations,
    Nielsen said.
    Microsoft's early work on Trustworthy Computing included putting all
    its developers through a lengthy training course on writing secure
    code and undertaking a massive bug hunt in its millions of lines of
    Windows code. The effort had an immediate effect when the Redmond,
    Wash., company decided to delay the release of its key .Net Server
    family, as well as a beta of the new SQL Server, because of problems
    found during the code review.
    The security training for developers is an ongoing process,
    Microsoft's Nash said, and all new developers must go through the
    program within 30 days of joining the company. Microsoft has also
    developed an internal tool, roughly analogous to the Unix-based Lint
    program, that looks at code constructs to find bugs and
    Nash said the company is considering developing more security products
    as well to complement the Internet Security and Acceleration Server
    firewall it sells. But he declined to give details on which categories
    Microsoft might go after.
    "If Microsoft were to do that, it would be in an area where we have
    unique capabilities," Nash said.
    The Trustworthy Computing initiative has also brought about a major
    shift in priorities at Microsoft with regard to the way the company
    deals with customer feedback, Nash said. Gone are the days when
    features and functionality held sway over all other considerations in
    product development.
    "Responding to customer security issues is the most important thing we
    do," Nash said. "It's a change. It's a clarifying thing, and it's a
    cultural change."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 05:12:49 PDT