MS security czar critiques efforts

Listeners praised Microsoft Corp.’s recent efforts to improve product security and patch management after hearing them described in detail by Scott Charney, the company’s chief security strategist. But they agreed that Microsoft has not yet shown it can reach its own security goals.

Speaking here at the Computerworld Premier 100 Conference, Charney explained how, as part of its Trustworthy Computing initiative, Microsoft has delayed the release of products such as Windows 2003 and Visual Studio .Net. That way, he said, developers who have been trained in areas such as threat modeling and penetration testing can review the software code for flaws.

The company also added two layers of security verification outside of the product groups, because having developers in the product groups be responsible for security “was like having the fox guarding the henhouse,” Charney said. Now, his department and an outside firm handle “pen testing” before a product is certified for public release.

And despite complaints from some corporate users, Microsoft products will now be shipped with maximum security features turned on, Charney said.

Those moves are essential, according to Phil Dunkleberger, CEO of Pretty Good Privacy Corp. (PGP), a software security provider in Palo Alto, Calif. “Now they have a guy who is a traffic cop who does not have money at stake,” he said of Charney.

Dunkleberger went on to praise the idea of shipping products with security features enabled by default. “Locking down products when they’re released is good, even when faced with resistance from larger users,” he said.

But he expressed disappointment that Charney didn’t discuss the idea of opening up the security elements of Microsoft’s products to open-source evaluation. PGP’s source code is released for open-source review before it’s sold commercially.

RA Vernon, chief security officer at Reuters America in New York, said Microsoft’s efforts are moving “in the right direction” but “are long overdue on Microsoft’s part.”

Microsoft, Vernon said, has significant hurdles to cross before it can say it has achieved its goal of “trustworthy computing.”

“This is a major undertaking,” Vernon said. “The company has a monstrous infrastructure of products to secure. Is it doable? Yes. But in the short term we will see a number of hiccups.”

Vernon also expressed worries that before Microsoft can achieve the goals of its Trustworthy Computing initiative “major cultural change has to take place.”

Charney acknowledged that issue, specifically in relation to patch management procedures, which he characterized as “not good today at all.” He said Microsoft’s decentralized management approach, while “wonderful” in many respects, becomes an impediment to effective patch management. For example, the company had eight different patch installers and some tools can’t determine whether a patch has been installed properly or not.

That, he said, will change with the release of Longhorn, the code name for the next release of the Windows operating system. With that release, which isn’t expect before mid 2004 at the earliest, a single patch installer will exist.