‘No Software Can Ever be Perfect’

With Microsoft software being susceptible to virus attacks in the recent past, the company has gained the notorious tag of being the maker of vulnerable
software. Thus, Microsoft is today the biggest proponent of software security and has been working on an initiative called “trustworthy computing”.
Craig Mundie, chief technology officer, Microsoft, was in India to talk about trustworthy computing and the security initiatives that the company is taking. Excerpts...

l On Microsoft now being the number one target for malicious computer
virus writers:

We consider security to be our top priority. To that end, we have been working with government leaders, privacy and security experts, consumer advocates and others to develop solutions that make our systems as secure, private and reliable as possible. We are constantly working on improving our response time, and we are sharing what we know with the government, the industry and the general public. However, no software can ever be perfect.

Craig Mundie

Microsoft CTO

‘A fundamental shift in the way we build products’

l On why Microsoft products are so vulnerable:

Millions use our products securely every day; however, there is room for improvement. We realize that improving security requires a fundamental shift in the way we develop code and build products. In the last 18 months we have retrained 11,000 developers and developed ongoing security training for developers, testers and other employees; instituted a wide array of new, more secure development practices; provided our developers with enhanced tools; and delivered a broad set of tools to both consumers and business customers.

Microsoft maintains a rigorous testing process for all products to ensure that they are as secure as possible. We are confident that, over time, our commitment to trustworthy computing will result in fewer security vulnerabilities that require remediation through the security response process.

l On the trustworthy computing model being broader in scope than the
SysTrust/SAS70 models:

The SysTrust/SAS70 models are limited to large-scale online systems, while the Microsoft trustworthy computing model applies a holistic view to the computing experience. The following excerpt from a white paper illustrates the scope of trustworthy computing:

“First, there are the machines themselves. They need to be reliable enough that we can embed them in all kinds of devices–in other words, they shouldn’t fail more frequently than other similarly important technologies. Then there’s the software that operates those machines: do people trust it to be equally reliable? And finally there are the service components, which are also largely software-dependent. This is a particularly complicated problem, because today we have to build dependability into an end-to-end, richly interconnected system.”

l On “Security by Default” where
software is shipped with security measures in place and vulnerable components
are disabled:

Security by default means shipping products in a locked down position, so customers enable only those features they want to use and maintain. Windows Server 2003 is an example of secure by default, with more than 20 services locked down by default or running in lower privileged account to reduce the risk of security attacks and compromises. These default settings have resulted in fewer vulnerabilities and a decrease in the criticality of those vulnerabilities.

That said, we know that the number of security vulnerabilities will never be zero, so there will always be a need for a security response process to fulfill our commitment to our customers.

l On the action points under the trustworthy computing initiative:

The trustworthy computing initiative is predicated on four key pillars: privacy, security, reliability and business integrity. We have invested time, money and resources to train our employees, institute new policies, monitor processes and create innovative development tools to improve our software.

We have taken steps in each one of these key areas. We’ve included some of our actions under the security pillar:

• Broad security training for developers, testers and other employees across the company to “write secure code” (Windows, Office, Visual Studio, etc). This is an ongoing training effort and not a one-off effort
• Security “stand down” code reviews in Windows, Office, Visual Studio and Exchange divisions, among others
• Windows Server 2003–more than 20 services locked down by default or running in lower privileged account to reduce the risk of security attacks and compromises
  (IIS 6.0 locked down, UPnP removed, PEAP support for wireless connections, enhanced single sign-on, enhanced
  PKI, Security Configuration Wizard)
• Developing Next Generation Secure Code Base as a part of the Microsoft Windows operating system, which when combined with new hardware and software provides additional security services to PCs focused on enhancing system integrity, privacy and data security
• Software Update Services is a security management tool that enables IT administrators to deploy critical updates from their corporate firewalls to Windows 2000-based servers and desktop computers running Windows 2000 Professional and Windows XP Professional
• Microsoft Baseline Security Analyzer is a tool customers can use to analyze the Windows 2000 and Windows XP systems for common security
  misconfigurations, and to scan for missing security hot fixes and vulnerabilities on a variety of products, including newer versions of the Internet Information Server, SQL Server and Office

l On the acquizition of Romania-based GeCAD Software, an anti-virus detection and data security:

The strategic investment in GeCAD Software continues to be very valuable to Microsoft as it enables partners to build and deliver better anti-virus solutions. The process of developing anti-virus solutions with inputs from GeCAD Software is ongoing, and so we feel it is still too early to determine the success of the acquisition.



l On how Microsoft plans to address security for Web services:

In April, Microsoft, IBM and VeriSign announced the publication of WS-Security, a new Web services security specification. WS-Security works with SOAP (Simple Object Access Protocol is an XML syntax for exchanging messages) to add the ability to transmit security credentials as well as enabling the delivery of Web services messages with the appropriate confidentiality and integrity.

In the “Security in a Web Services World” roadmap, Microsoft and IBM have described a comprehensive Web services security model that includes proposed specifications for policy, trust, privacy, secure conversation, federation and authorization. The roadmap is the foundation for building interoperable and secure Web services.



l On Microsoft’ plan for the Indian market, specifically in terms of ensuring security for Indian users:

Our focus in India–as in most countries–is on the secure by deployment aspect of trustworthy computing. We spend a lot of time devising programs and initiatives aimed educating and updating customers on how to run a secure infrastructure through the right implementation and policies. To this end, we work closely with our partners and have regular communication programs to identify and help customers address ongoing security issues.



NEETU KATYAL in New Delhi