http://www.eweek.com/article2/0,3959,561985,00.asp By Dennis Fisher September 30, 2002 Although much of the hype surrounding Trustworthy Computing has subsided, Microsoft Corp. is quietly pushing the initiative ahead with behind-the-scenes efforts that include an extension of its developer training program and the possible development of additional stand-alone security products. But while customers give Microsoft credit for its recent efforts, some said the company has much work to do before it reaches Chairman Bill Gates' stated goal of making software as reliable as electrical power. Among recent changes at Microsoft is the inclusion in every product group of a person responsible for the security of that product's code. Although developers remain accountable for their code, the security liaison is accountable for the overall quality of the product. Each product group's security representative, in turn, reports to Mike Nash, the vice president of the new security business unit, who is the single point of contact companywide. The new organizational structure is part of an effort to ensure that customer feedback about security receives prompt attention, Nash said last week in an interview with eWeek. "Our customers are telling us they not only want fewer vulnerabilities but also want us to make it easier for them to run our products in a secure way," Nash said. "When there are problems, we're trying to reduce the amount of friction it takes to fix them." For customers, a more tangible result of the Trustworthy Computing campaign is the new SUS (Software Update Service) patch management system. The SUS is a download that enables IT managers to set up their own Windows Update staging server inside their networks. The server, released last week, polls the Windows Update site and displays a list of patches and hot fixes available for specified products. The administrator can then approve downloads, which are delivered to the SUS server. Client machines then check the SUS server on a regular basis and pull down the patches needed. Users who have tested the technology say it's a move in the right direction, but it has limitations. "It's a decent first attempt but not great," said Andrew Nielsen, a senior technologist with Raytheon Co. working on a contract at NASA Ames Research Center, in Moffett Field, Calif., who is finishing a SUS deployment. "There's a lot of room for improvement. It is what it is. The reporting capabilities need some work, and I had some problems with the synchronization telling me updates were available after I had already approved them for download," he said. "However, I'm pretty confident that subsequent versions will be better." The SUS server can't roll out service packs, nor can it push updates through firewalls to "child" SUS servers set up in other locations, Nielsen said. Microsoft's early work on Trustworthy Computing included putting all its developers through a lengthy training course on writing secure code and undertaking a massive bug hunt in its millions of lines of Windows code. The effort had an immediate effect when the Redmond, Wash., company decided to delay the release of its key .Net Server family, as well as a beta of the new SQL Server, because of problems found during the code review. The security training for developers is an ongoing process, Microsoft's Nash said, and all new developers must go through the program within 30 days of joining the company. Microsoft has also developed an internal tool, roughly analogous to the Unix-based Lint program, that looks at code constructs to find bugs and vulnerabilities. Nash said the company is considering developing more security products as well to complement the Internet Security and Acceleration Server firewall it sells. But he declined to give details on which categories Microsoft might go after. "If Microsoft were to do that, it would be in an area where we have unique capabilities," Nash said. The Trustworthy Computing initiative has also brought about a major shift in priorities at Microsoft with regard to the way the company deals with customer feedback, Nash said. Gone are the days when features and functionality held sway over all other considerations in product development. "Responding to customer security issues is the most important thing we do," Nash said. "It's a change. It's a clarifying thing, and it's a cultural change." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 05:12:49 PDT