[ISN] Yukon to Ship with Features Securely Off

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 23:17:09 PST

  • Next message: InfoSec News: "[ISN] Microsoft to make Longhorn vulnerability-aware"

    http://www.eweek.com/article2/0,4149,1539058,00.asp
    
    By Lisa Vaas 
    February 25, 2004
    
    In an effort to make it more secure, Microsoft Corp.'s "Yukon" version
    of its SQL Server database will ship with certain features turned off,
    according to Microsoft Director of Product Management for SQL Server
    Tom Rizzo, in Redmond, Wash.
    
    Rizzo said that, while it's too early to say exactly which features
    will be turned off, core functionality features will be left on in
    order to ensure that getting the database running out of the box won't
    be a nightmare. "We don't want you to go to install it and find it
    won't work out of the box," he said.
     
    Microsoft engineers are also working to ensure that customers won't
    have to go through painful gyrations to turn on the turned-off
    features. "New functionality - extensions and things that make the
    server even better—we'll turn off by default, but we'll make it easy
    to turn those back on. We don't want customers to say, 'Hey, I like
    XYZ feature, but I have to go through this nightmare process to turn
    it on.'"
    
    There are signs that the second beta of "Yukon" (which is the code
    name for Microsoft Corp.'s update of its SQL Server database),
    originally expected in late spring or early summer, is already well on
    its way.
    
    While Beta 1 is a closed beta for past testers and certain customers
    only, Beta 2 will be public, and people interested in Yukon will be
    able to participate in Microsoft's Customer Preview Program.
    
    While customers await Yukon, however, SQL Server itself has been
    getting more secure, Rizzo said. Microsoft has been spending extra
    money on security, as executives acknowledged during the company's
    second-quarter financial conference call, with much of the funds
    getting pumped into educating developers and customers.
    
    One security-related educational venture has been the recent launch of
    the new Security Guidance Center on Microsoft's TechNet site. Launched
    about two weeks ago, the Center is a portal for all things
    security-related that might concern SQL Server customers.  
    Security-related funds are also going to other initiatives, including
    Webcasts, written articles and other educational ventures for outside
    partners and customers, Rizzo said.
    
    Rizzo also pointed to Microsoft's automated Baseline Security Analyzer
    tool as proof that the company is helping customers to secure SQL
    Server. Released some two years ago, this free tool seeks out
    unpatched Windows systems and applications on networks, then tells
    users what they need and where to find patches. Finally, the company
    is aiming to come out with a SQL Server-specific update feature
    similar to its current Windows Update, which notifies users when
    patches or drivers are available, though a release date has yet to be
    determined.
    
    Customers are clamoring for such a feature in hopes that it could
    protect them from catastrophes such as that wrought by Slammer.  
    Slammer, a SQL Server worm that brought down the Internet some 13
    months ago, preyed on machines that lacked a patch that had been
    available for some time. As a result, many small to medium-sized
    businesses with small and/or overworked IT staffs voiced need for some
    help with patch management.
    
    Microsoft's security efforts have borne fruit. For example, SQL Server
    2000 has only had one critical alert since Service Pack 3 shipped over
    a year ago.
    
    For its part, Yukon is being designed using a three-part process.  
    First, Microsoft sends program managers, developers and testers
    through security training so they'll understand what the most common
    types of flaws are in developers' code. Such common flaws include
    opening ports, buffer overruns and integer overruns, Rizzo said.
    
    Next, as product features are being designed, product managers follow
    a ritual of asking security-related questions about the feature, such
    as, what's the security of this feature? Does it open ports? And, is
    it vulnerable to injection attacks?Only then are developers free to go
    off and build a given feature.
    
    The third leg of security comes in with the use of automated tools
    that scan each line of code, plucking out commonly made mistakes. Such
    automated tools are a help. Line-by-line, manual code analysis was
    performed on SQL Server 2000 and 7.0—a process that took some three
    months, Rizzo said—back when Microsoft's security push resulted in
    Service Pack 3.
    
    Microsoft has also been staffing up its SWAT teams, which consist of
    ethical hackers who try to crack Yukon and other SQL Server versions.  
    Rizzo said that recently Microsoft added "a whole bunch" of ethical
    hackers to the SQL Server team but declined to name how many new
    staffers were brought on-board.
    
    "Of the 1,000 people who work on SQL Server, security's top of mind,"  
    he said. "Even though we have a SWAT team, everyone's on the SWAT
    team."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:26:23 PST