MS hits anniversary

Bill Gates recently marked the one-year anniversary of Microsoft’s "trustworthy computing" initiative by sending out an e-mail commending his company’s progress to date.

The e-mail came just weeks before the SQL Slammer appeared, taking advantage of a vulnerability in Microsoft’s SQL 2000 Web servers.

The trustworthy computing initiative was launched by Microsoft just over a year ago as a recognition that it needed to do a better job in creating more-secure, less-buggy software. It was initiated through an internal e-mail sent out by Gates asking Microsoft employees to make security a priority when developing products.

"Trustworthy computing is intended to be a long-term initiative that will take a decade to realize," said Rick Miller, a Microsoft spokesperson.

When people pick up the phone, they have no doubt that they’ll get a dial tone, Miller said, and that’s the same kind of reliability that Microsoft wants to bring to computing.

"Building security into software, particularly after the software has been constructed is not an overnight process," said David Freund, an analyst with Illuminata.

It’ll take a lot of work, and Microsoft has produced many millions of lines of code that it has to go back and re-examine, he said. "That said, the company has made some good efforts in this area."

The company has shown a willingness to notify users of security problems as they arrive, and to get patches out the door, Freund said. Subsequent releases have also shown a tendency to improve in their stability and reliability, he said.

The problem is there will always be a juggling act between creating applications that are secure versus those that are easy to access and use. "The design center for most of Microsoft’s existence has been ease of use," Freund added.

Another problem, which is by no means unique to Microsoft, is that companies have been rushing to get products out the door as quickly as possible. This was especially true during the dot-com bubble days, Freund said. Now both vendors and users alike are slowing down.

Some IT managers said they think Microsoft's progress should be judged based on the number of vulnerabilities they see in future releases. But many customers may continue to use older products that haven't been the focal point of Microsoft's security push.

"In the short term, I'm resigned to an increasing cycle of patches and updates to existing systems that my already-overwhelmed technicians have to implement," said Paul Lanham, senior vice-president and chief technology officer at Jones Apparel Group.

Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, said Microsoft should be devoting more attention to ridding its current products of vulnerabilities. "It seems like they're much more worried about tomorrow, which they should be. But I think today is even more important," he said.

Although the release date for Microsoft’s Windows Server 2003 (formerly .Net Server) was originally supposed to coincide with that of the desktop OS, Microsoft has delayed its release, and that shows the company is committed to its trustworthy computing initiative, Freund said.

Microsoft’s new approach to development consists of four main tenets -- creating software that is secure by design, secure by deployment, secure by default and secure in communication, Miller said.

Secure by design means recognizing that the company needs to do a better job in building products from the ground up. Secure by default means that whereas in the past the company shipped software with most of the functionality turned on, they are now shipping it in a lock-down state, in the securest form possible. It will now be up to sys admins to turn functions on rather than turn them off, Miller said.

Although the company hopes to eliminate as many errors as possible in the design phase, it recognizes that patches will always be needed. The secure by deployment part of the initiative means it will work on making sure patches are of good quality and readily available.

Code Red, Nimda and the new Slammer worm could all have been avoided if people had applied the patches that were out there, Miller said.

"That’s not in any way pushing the blame on system admins. We need to do a better job producing more quality and more seamless patches. But nevertheless, if you keep your system patched, then you’re not going to be vulnerable to attacks like this," he said.

Microsoft recently got hit by the Slammer worm because it failed to patch some of its own internal-facing servers.

In terms of communication, the company said it is trying to keep its customers clearly informed of security problems as they arise.

The company only began its trustworthy computing initiative a year ago because historically computers have been isolated, Miller said.

"[Applications] were built more for a standalone environment and so you had a computer that was running, and there wasn’t a need for security," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Poonarn Khanna

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?