• PC World
• » Security

It's the first anniversary of Microsoft's vow of trustworthy computing. Do you feel safer? Should you?

The answer ought to be yes, said Mike Nash, corporate vice president in Microsoft's security business unit, speaking at a community program at the company's Mountain View, California, campus.

Microsoft has shelled out some $200 million training its programmers, scrutinizing existing code, and trying to break its products. While assessing the exact level of success is difficult, Microsoft contends, it has made progress in efforts to "address key customer pain."

"Microsoft and the industry as a whole still have work to do in improving how we build products in achieving trustworthy computing," Nash said.

Campaign Launched

It was about a year ago that Microsoft Chair and Chief Software Architect Bill Gates called a halt to new product development and ordered programmers to spend a month examining ongoing projects from a security standpoint. The move came as part of a new Trustworthy Computing initiative. Since then, security concerns have been part of all development efforts, not simply a checklist at the end of a project, Microsoft has said.

"We are about a year into the journey, but changes are happening," Nash said. "At Microsoft, a lot has to do with changes in culture. We've begun to make decisions in a way that prioritizes trustworthiness--really as priority zero, something that comes before things that are priority one."

For Nash, a real-world experience put him in the customer's position and helped him appreciate security challenges. During normal operations, a programmer changed a server address without documenting it, rendering most of Microsoft's Web sites temporarily unavailable.

And like many customer troubles, Microsoft's problem was internal--a documentation oversight. That experience and others caused Microsoft to underscore training and prevention as key security practices.

Nash also pointed to a 2002 study by the Computer Security Institute that cites climbing computer crime: 40 percent of respondents reported system penetration from outside, up 25 percent from 2000. But 95 percent of those breaches were due to errors in equipment configuration, according to the federally funded computer and network security body Computer Emergency Response Team (CERT) Coordination Center.

Counting bug alerts from vendors' own Web sites shows that Microsoft is not among the most notorious, Nash adds. The tally for 2002 was 34 alerts for Windows XP and 37 for Windows 2000, he said, compared with 67 for Sun's Solaris and 87 for Red Hat Linux.

"That's still higher than we'd like it to be," Nash said. "And since we have a lot more customers using our software, there's a greater need for us to get better."

Plug the Hole, Please

Examples of the need for vigilance abound. The Code Red worm that wreaked havoc in the summer of 2001 exploited vulnerabilities that Microsoft already had identified and patched, Nash said. Customers who had applied the patches ducked the worm, while everyone else suffered.

"We realized we didn't have a way to make it easy to deploy the patches," he said. Just two months later, the Nimda worm crawled across the Internet.

"About half the customers with whom we had just had stern conversations about Code Red had still not deployed the patches that would have protected them," Nash said. "It wasn't simply about adding security features or doing a review, but making sure security was a core part of the system from the start."

Microsoft's goal remains for end users to feel comfortable about the reliability of its products and services, just as you expect to hear a dial tone upon picking up a telephone, or to see the lights go on when you flip a switch.

Microsoft also wants to avoid the finger-pointing that has become typical of cross-vendor projects, Nash said.

"If there's a windstorm and a tree falls and pulls down a wire, the power company comes out and puts the wire back up, even though it isn't their wind and it isn't their tree. It should be the same with trustworthy computing," Nash said.

Ongoing Effort

Microsoft's goal is to produce software without vulnerabilities--or without flaws that can be found by those who would exploit them, Nash said. But the company also wants to make it easy for users to apply patches, an example being the automated update functions in Windows XP.

The catchwords of the security push are design, default, deployment, and communications, Nash said.

In its design focus, Microsoft has trained 11,000 engineers in-house to write more-secure code. It also has set default features to "off" when doing so makes sense, to reduce exposure to attack. Nimda exploited defaults that were set to "on," Nash noted.

For better deployment, Microsoft is documenting its architecture and encouraging training. And as for communications, the company has beefed up its security response center, especially its online resources, and it encourages feedback as well as promoting outreach. It offers development and analysis tools to enterprise customers and to development partners.

"Security review has become part of the product development process, not an extra thing we do at the end," Nash said.

Customers should see the difference with Windows Server 2003, one of the first products to go through the new security screening process, Nash said. Security issues are also a priority in Longhorn, the next desktop update of Windows.

"Security is part of what we do from now on," he said.

• See more like this:
• security,
• privacy,
• patch,
• flaw,
• vulnerability,
• Microsoft,
• trustworthy computing,
• mike nash,
• cert