[ISN] Microsoft Security Czar Critiques Efforts

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 02:05:37 PST

  • Next message: InfoSec News: "[ISN] Fierce cyber war predicted"

    MARCH 03, 2003
    SCOTTSDALE, Ariz. -- Listeners praised Microsoft Corp.'s recent
    efforts to improve product security and patch management after hearing
    Scott Charney, the company's chief security strategist, describe them
    in detail. But they agreed that Microsoft hasn't yet shown it can
    reach its own security goals.
    Speaking here at the Computerworld Premier 100 conference last week,
    Charney explained how, as part of its Trustworthy Computing
    initiative, Microsoft delayed the release of products such as Windows
    2003 and Visual Studio .Net. That delay, he said, gives developers who
    have been trained in areas such as threat modeling and penetration
    testing a chance to review the software code for flaws.
    The company also added two layers of security verification outside of
    the product groups, because making developers in the product groups
    responsible for security "was like having the fox guarding the
    henhouse," Charney said.
    And despite complaints from some corporate users, Microsoft products
    will now be shipped with maximum security features turned on, Charney
    Those moves are essential, according to Phil Dunkelberger, CEO of PGP
    Corp., a software security provider in Palo Alto, Calif. "Now they
    have a guy who is a traffic cop who does not have money at stake," he
    said of Charney.
    Dunkelberger went on to praise the idea of shipping products with
    security features enabled by default. "Locking down products when
    they're released is good, even when faced with resistance from larger
    users," he said.
    But he expressed disappointment that Charney didn't discuss the idea
    of opening up the security elements of Microsoft's products to
    open-source evaluation. PGP's source code is released for open-source
    review before it's sold commercially.
    RA Vernon, chief security officer at Reuters America Inc. in New York,
    said that before Microsoft can achieve the goals of its Trustworthy
    Computing initiative, "major cultural change has to take place" within
    Charney acknowledged that that was true, specifically in relation to
    the vendor's patch management procedures, which he characterized as
    "not good today at all."
    He said Microsoft's decentralized management approach, while
    "wonderful" in many respects, is an impediment to effective patch
    management. For example, the company had eight patch installers, and
    some tools can't determine whether a patch has been installed properly
    or not.
    That, he said, will change with the release of Longhorn, the code name
    for the next release of the Windows operating system. With that
    release, which isn't expected before mid-2004 at the earliest, a
    single patch installer will exist.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 04:48:50 PST