[ISN] 'Trustworthiness' still a goal for Microsoft

InfoSec News isn at c4i.org
Fri Oct 15 06:29:04 EDT 2004


By Paul Roberts
IDG News Service

January 15, 2005 - a Saturday - will almost certainly pass quietly on
the bucolic Redmond, Wash., campus of Microsoft. But for those in the
field of information technology security, who often make a sport of
following the company's struggles to secure its products, the date is
certain to attract some notice: it's the third anniversary of a
now-famous internal Microsoft e-mail dubbed the "Trustworthy
Computing" memo.

Three years after the release of the 1,500 word memo from the
company's founder and Chief Software Architect , Bill Gates, those
inside and outside Microsoft credit Trustworthy Computing with setting
in motion vast changes that have improved the security of many of
Microsoft's products. At the same time, customers and industry experts
wonder aloud whether Microsoft will ever fully realize Gates' vision,
taming the company's massive stores of legacy software code and
reconciling its desire to please consumers with its duty to protect
them from threats.

Addressed to all full-time employees at Microsoft and its
subsidiaries, Gates' Trustworthy Computing memo announced an ambitious
program to make Microsoft's technology more secure and reliable, and
signalled a profound change in the culture of the world's leading
software maker. In it, Gates re-oriented the priorities of the company
he founded in 1978, and which made him into the world's richest man in
the 1990s by turning out easy-to-use software applications that were
tightly integrated with the company's dominant Windows operating

Written just months after the Sept. 11, 2001 terrorist attacks in the
U.S., the Trustworthy Computing memo likened the need to secure his
company's software to the new imperatives of securing the nation's
critical infrastructure such as airlines, electrical, telephony and
water services.

Compared to the reliability of such critical services, "computing
falls well short," Gates said, noting that the insecurity and
instability of computing systems had a subtle but pernicious effect on
technology adoption.

As explained by Gates in the memo, four important aspects comprised
the new initiative: availability, security, privacy and

On the issues of availability and security, Gates proposed an end to
two of the most frequently heard complaints about his company's
software: that it crashed far too frequently, and that it was riddled
with vexing security holes that exposed customer information to harm.

Microsoft should also protect the privacy of its customers' data and
allow them to control how their data is used, Gates said. Finally,
Microsoft needed to look beyond bugs and availability, creating an
industry-wide computing ecosystem that was "trustworthy" from "smart"  
software and services down to the processor chip, Gates said.

Within Microsoft, the memo "absolutely changed the mindset of the
company," said Gytis Barzdukas, director of product management in
Microsoft's Security Business and Technology Unit.

Barzdukas worked in Microsoft's Office product group when the memo was
sent. As an example, he recalls halting development on Version 11 of
Microsoft Office, the company's most profitable product, for an entire
month in 2003 to conduct a security review of all Office components.

That kind of decision would have been unheard of in the go-go days of
the 1990s, when Microsoft's focus was on shipping its products fast
and on crushing the competition, such as rival Web browser Netscape,
with key features, said John Pescatore, vice president at Gartner.

"Microsoft was of the opinion that nobody cared about security - what
they wanted was integration ... something so easy that (their
grandmother) can use it," he said.

At the organizational level, Microsoft shook up its product-focused
development groups, creating the cross-product Trustworthy Computing
group to develop policies for the entire company. Security experts in
that group consult with Microsoft's key customers in the private and
public sectors, and provide guidance on developing security strategy
and architecture for Microsoft products, he said.

Internally, the company also devoted resources and people to security.  
For example, in addition to stopping development on both its Windows
and Office products for a review of code security, Microsoft began
investing more energy and resources into automated code scanning tools
that can spot the mistakes that create security vulnerabilities in the
company's products, Barzdukas said.

The result has been a 69% reduction in the number of critical security
vulnerabilities in bulletins since Trustworthy Computing began, he

In three years, Microsoft has also trained legions of security experts
within the company's ranks. To date, the company has more than 400
employees on staff with Certified Information Systems Security
Professional (CISSP) certification, compared with just a dozen before
the Trustworthy Computing memo was released, Barzdukas said.

For its consumer and enterprise customers, Microsoft also streamlined
its processes for distributing software updates and emergency security
patches. The company began aggressively pushing its automatic software
update, available with the Windows 2000 and subsequent operating
system releases. To date, the company has increased the number of
people using the Autoupdate feature by between 300% and 400%,
Barzdukas said.

Microsoft also improved its policies for releasing security patches,
moving from a scattershot system of "as needed" software updates to a
predictable, monthly schedule of software security updates and a
clearly articulated rating system for security updates.

On the subject of "trustworthiness," Microsoft has taken pains to
share information and best practices with other companies in
industries such as antivirus software, Barzdukas said. Today, the
company takes an active roll in a number of industry groups, from the
Virus Information Alliance, a group of leading antivirus and e-mail
security companies that share information on new virus outbreaks, to
the Global Infrastructure Alliance for Internet Safety, a
security-focused working group of global ISPs.

The company also took the lead on important industry standards,
including WS Security, a Web services security standard Microsoft
co-authored with IBM, and Sender ID, an e-mail sender authentication
standard that the company has aggressively promoted to ISPs and e-mail
technology companies as a partial fix for phishing scams and spam.

Perhaps the biggest accomplishment of Trustworthy Computing, though,
has been making security matter - not just to the company's founder,
but to its executives and product managers, Gartner's Pescatore said.

Citing a recent visit to the Redmond campus to discuss the upcoming
release of the company's SQL Server product, code named "Yukon,"  
Pescatore said that security is still one of the top three features of
the product. That continued focus on security will, over time, foster
a more security-conscious culture at Microsoft, Pescatore said.

Jeff Payne, CEO of Cigital in Dulles, Va., which provides software
security consulting, agrees with that assessment.

"Trustworthy computing has started to get (Microsoft) to realize that
you have to balance speed to market with the security people expect,"  
he said.

Microsoft's investments in technology and processes since the
Trustworthy Computing memo came out have made life easier for John
Halamka, CIO at CareGroup Healthcare System in Boston.

Halamka said that CareGroup hospitals, such as the Beth Israel
Deaconess Hospital in Boston have had fewer issues with security
breaks and viruses in recent years, due in part to Microsoft's
improved patch delivery program and what appears to be tighter
software development practices.

"You don't get the egregious (software holes) that you used to get in
beta releases. It seems like they've put a significant amount of
research and development dollars into better security and to ensure
the integrity of their core products," Halamka said.

Payne voiced a similar opinion.

"The severity of (Microsoft) bugs and issues in patches has been going
down significantly - and that's what you want to see happen," he said.

Despite unquestioned improvements in both the security of its products
and its internal processes for addressing security issues, however,
Microsoft is still far from realizing the vision set out by Gates in
the Trustworthy Computing memo, experts agree.

Chief among the challenges facing the software giant is shoring up the
millions of lines of existing, or "legacy" computer code, some of it
dating back to the early or mid-1990s.

"The big problem (Microsoft) has is just that Windows has been so bad
for so long. There's a huge mass of (insecure) code," Pescatore said,
noting that the company's decades-old obsession with features and
integration is to blame.

"Lots of Microsoft's strategy entailed jamming applications into the
operating system - a Web browser, a media player - and that violates
the principle that keeping something small makes it more secure than
something big," he said.

"They're trying very hard," said CareGroup's Halamka, "but they're
also fighting the legacy of highly complex code that's going to make
ongoing maintenance of their products hard."

At a deeper level, Microsoft also has to find a way to reconcile the
diverging needs of its two main customer groups: consumers and
businesses, Pescatore and others said.

"If you think about how Microsoft became great, it was by putting
control in the hands of users - helping users overcome the IT
organization that wanted everything to run on a mainframe in the
basement," Pescatore said.

However, in enterprise computing, putting power in the hands of users
is the last thing IT administrators want, and Microsoft essentially
sells the same products to both groups, he said.

The August release of a massive software update for the Windows XP
operating system was a good example of Microsoft's often awkward
attempts to meet the needs of both communities.

Almost two years in the making and months overdue, Windows XP Service
Pack 2 (SP2) featured a new security interface, a much-enhanced
version of the Windows firewall and a number of configuration changes
that make it harder for Windows systems to be compromised.

The update was good news for most home users of Windows, whose
machines make up the bulk of compromised hosts on the Internet.  
However, security experts and even Microsoft itself began warning well
in advance of SP2's release that some changes could affect other
installed software.

Almost as soon as the update was available to Microsoft's enterprise
customers, companies - including IBM - warned their employees not to
download it, for fear that installing SP2 would break or destabilize
critical enterprise applications.

Microsoft also found itself in hot water over its decision to push out
the 75M-byte to 100M-byte update to user desktops through its
automatic update feature, potentially circumventing the IT policies of
many of its enterprise customers, and causing a huge bandwidth crunch.

Seemingly unaware that many enterprises used the automatic update
feature to distribute software patches to their users, Microsoft was
forced to delay distribution of SP2 over automatic update for nine
days, while customers used a Redmond-developed tool to deactivate the
delivery of SP2 using the automatic update feature.

Microsoft also faces challenges on the issue of "trustworthiness,"  
experts agree.

While ostensibly agnostic in its efforts to promote better security
across the computing world, Microsoft has also engaged in a war of
words with the open source software community over the question of
whether its proprietary software is less secure than Linux. In recent
years, Microsoft funded a study by Forrester Research Inc. that found
Linux more expensive to develop applications for than Windows. The
company also raised eyebrows when it purchased $21 million in licenses
from Unix provider The SCO Group in May 2003, shortly before that
company renewed threats to sue IBM over portions of the Linux code SCO
claims to own.

On the question of standards, Microsoft is still widely perceived as a
company that wants to go its own way and use its dominance of the
desktop operating system market to force adoption of its own
standards, Pescatore said.

An example of this can be found in its strong backing of the Sender ID
e-mail sender authentication, a nascent standard that Microsoft is
aggressively promoting.

The company won praise from the standards community after it agreed to
combine a Redmond-developed technology standard called Caller ID with
a very similar technology called Sender Policy Framework, developed by
Meng Weng Wong at e-mail forwarding company Pobox.com.

However, the merged Sender ID standard soon ran into trouble after
talks between Microsoft and leading open-source software groups to
resolve concerns about patent and licensing issues with the proposed
standard broke down, prompting the Internet Engineering Task Force and
major corporate backers, such as AOL, to withdraw support.

More information about the ISN mailing list