TechWeb

Gates Pledges More Security Improvements

Jan 23, 2003 (07:01 PM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=6512234


Microsoft has made headway in its Trustworthy Computing pledge, but chairman Bill Gates says it can do better.

In the latest of his monthly missives, part of Microsoft's ongoing executive E-mail public-relations campaign, Gates focused on what the company has done to deliver a more secure computing environment while admitting that more work lies ahead.

"While we've accomplished a lot in the past year, there is still more to do--at Microsoft and across the industry," Gates said.

Gates outlined the security initiative to Microsoft and its employees a year ago. Since then, he said, Microsoft has spent $200 million on improving Windows security and significantly more to bolster security for its other product lines.

In response to the better-security promise, Gates wrote, Microsoft has changed its development methodologies to integrate threat modeling into its design work. As part of that process, Microsoft put its Windows engineers through a 10-week security refresher to teach them to think like hackers and asked them to sniff through the Windows code for leaks and security problems.

"Fully one-half of all bugs identified during the Windows security push were found during threat analysis," he said.

The stakes are high, Gates wrote in his E-mail. "A secure computing platform has never been more important," he said. "Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated."

But the company's eye on security is paying dividends, Gates claimed. As evidence, he cites more secure products already released, such as Windows XP Service Pack 1 and Visual Studio .Net. Other programs scheduled for release during the first half of 2003 will also benefit, among them Windows Server 2003 (set for release in April), Office 11, and the next versions of SQL and Exchange Servers.

Among other efforts, Microsoft has changed the way programs' defaults are set. In the past, a feature was typically enabled if Microsoft thought there was any chance a customer might want to use it. Now, however, Microsoft "locks down" software by setting default options for the most secure environment.

Michael Cherry, an analyst with Decisions on Microsoft, an independent research firm that specializes in following Microsoft's moves, sees this approach as one of the best proofs that the company is serious about security.

"I like the work they've done," he says, "in particular locking down the software so Windows doesn't come with everything turned on."

Cherry points out that Microsoft's 3-D attack on security--the Ds standing for default, design, and deployment--shows that it's serious about addressing security concerns.

"In the design process, it used to be that engineers only sort of thought about security," he says. "No one was going to give you a hard time if your code didn't take security into consideration. Now you have to prove how your feature deals with security."

But like Gates, Cherry sees room for improvement. "It's frustrating to me that I have to go to two update sites, one for Office and another for Windows," he says. "I think Microsoft's security efforts will pay off tremendously for customers in the future, but it could do more to make our current pain go away."

Gates' E-mail follows the year's first critical security alert from Microsoft about vulnerabilities in Windows.

Even here, Cherry notes that the company has made improvements. A year ago, he says, it would often take as long as a week for a critical security alert to get a hot fix. "They've tightened the time frame," he says, adding that the time from alert to update is now well under 24 hours on average.