MS creates new group to clean its coding act

IDG News Service

Microsoft Corp. is expanding its security business unit with a group that will establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws, a Microsoft executive said earlier this month.

The new Security Engineering Strategy team will look at security across all Microsoft product lines, with the ultimate goal being that customers will take security for granted in the company’s products, said Steve Lipner, the recently named director of Security Engineering Strategy at Microsoft.

“My position really is recognition of the fact that there are a lot of security aspects to building and shipping software products at Microsoft, and we need to do a more coherent job of looking forward across all the products we ship, trying to address security holes before they are discovered outside of Microsoft,” Lipner said.

“What we’re focusing on is improving our processes for building code that is as good and particularly as secure as we can possibly make it,” he said.

Lipner previously headed Microsoft’s Security Response Center (MSRC), the part of Microsoft that handles security vulnerabilities in products after they have been shipped. Lipner also drove the code-cleaning initiative last year which saw Microsoft take a break from writing code to examine its work for security flaws.

The Security Engineering Strategy team will be small, with about 10 security experts who will be recruited from within as well as outside Microsoft, Lipner said. “We will try to get the best people so we can to do a great job on security for our customers,” he said.

Microsoft, which has faced hefty criticism when it comes to the security and stability of its products, created a business unit focused on security just over a year ago. The unit has been growing steadily since, Lipner said.

“Trustworthy Computing and security are key elements of success for the IT industry going forward,” he said. Trustworthy Computing is the Microsoft-wide initiative to focus on security launched by Microsoft chairman and chief software architect Bill Gates in January 2002.

The creation of the Security Engineering Strategy team can only be positive, said Mark Litchfield, a security researcher with Next Generation Security Software Ltd. (NGSSoftware) of Sutton, England. Litchfield and NGSSoftware have been credited with discovering a number of bugs in Microsoft software.

“I’m sure (this new team) will over time make ours’ as well as all other security researchers’ jobs a lot harder,” said Litchfield. “I believe over the last year, Microsoft has made more steps than most vendors in pushing towards greater product security. The Security Engineering Strategy team further adds to this.”

However, Microsoft is a long way from its ultimate goal where users can take security for granted in its products, Litchfield said. The vendor is always in the spotlight and is probably the most common target for bug hunters. Furthermore, the majority of viruses written attack Microsoft products, he said.