Is Microsoft Security Getting Better?

Written By:
Content Copyright © 2006 Bloor. All Rights Reserved.

Hardly a day goes by without Microsoft getting a good kicking from someone.

With such a vast product range that touches many millions of people each day it would be even stranger if everything they did was perfect. The range of this criticism can go from mild criticism through to fervent personal hatred, at which point things start to get a bit scary.

I for one have not been afraid to share my views and frustrations with Microsoft, especially when the business seemed to lose its way in the late 1990’s and early 2000’s. There appeared to be a growing arrogance in the organisation that lead to many upset partners and customers, compounded by some bad decisions made by bad managers.

In was against this background that I decided to get a view from the horses mouth and see what Microsoft had to say about one particular area of the company’s strategy—security.

Now I consider myself a reasonably well informed Microsoft watcher. Many moons ago Mr Gates paid my salary for a number of years when I worked as a systems engineer and product manager. Back then the business was much smaller than it currently is and Windows 3.0 (remember that?) was starting to gain some interest in corporate UK. In fact we were also actively promoting OS/2 as the platform of choice for SQL Server in these pre-Windows NT days.

My objective of meeting up with Microsoft again was to discuss their security advances with an open mind and see what changes they were making to improve the lot of customers.

The first point to note about Microsoft is that it is now a huge organisation with a very large range of diverse products (XBox, to mouse, to Enterprise Server products). Couple that with a lot of bright people striving to be heard above the noise and you end up with a big management headache. Interestingly this headache becomes a migraine during the employee review process which causes a lot of grief for many members of staff, but that is a separate discussion.

The second point of note is that there are two sides of security at Microsoft—the notion of Microsoft as a secure vendor and the notion of Microsoft as a vendor of security products.

Microsoft the secure vendor is probably the biggest area of concern for those using Microsoft products—how secure is the platform and how secure are Microsoft products? It is accepted by Microsoft that during the late 1990’s the quality of their software, at least from a security view point, was sometimes dubious and at times downright scary.

The culture persisted where a developer could dream up a new feature and get it signed off with the minimum amount of administration, often simply completing a “new feature wizard”. This led to tremendous software bloat and the inclusion of very questionable code such as Easter Eggs.

An Easter egg is a piece of code that enables the finder to play a game or access hidden credits to the development team. It would appear that the product groups tried to out do each other with increasingly more sophisticated hidden code, one real corker was an interactive flight across a futuristic planet with full graphics in Excel 97.

And you wondered why the product was fat, lazy and buggy?

Spurned on by customer and partner cries of foul Microsoft finally woke up to their security responsibilities in 2002 and launched the Trustworthy Computing initiative.

This program was mandated by Bill Gates and all product groups were prevented from undertaking any new development until they had received security training and trawled through their existing code to make sure there were no security holes. According to Microsoft this was the start of a 10 year program, so we have a way to go yet.

This focus on security has radically changed the way Microsoft work. Each product group now has a security engineer that sits on the product board and can veto the release of a product if it is believed that it is insecure. SQL Server 2005 was delayed 9 months for just this reason.

Products are now released “when they are ready” rather than when the marketing team believes they should be which has been a big cultural shift for the company. The view now is that if a feature cannot be included as the product has been locked down for security purposes then Microsoft will rely on third parties to fill the feature gap. Microsoft are also employing external penetration testers to beat up Microsoft software, with financial incentives should the testers find flaws in the products.

I wonder if the testers can choose the products they work on? Bagsy Internet Explorer!

The measurement of success in the Trustworthy Initiative is based on customer satisfaction surveys. These measure views of a product from a range of customer types including IT professionals and consumers.

The measure of publicly known vulnerabilities is deemed to be a false indicator of success or failure as Microsoft, like many vendors, will not always make vulnerabilities public and this measure can be subject to abuse. Design wins, where a customer has deployed a new technology in a production environment, is probably a better endorsement of what Microsoft are doing. A big name brand deploying new technology is bound to persuade those further down the chain that it is worth considering.

Adherence to standards is now important to Microsoft. Products, where relevant, are subjected to testing against FIPS and Common Criteria standards that cost the company a lot of money each year. Where a standard has not evolved to test an area that Microsoft provide functionality for the company will make suggestions to extend the standard to encompass this requirement.

Software testing has also been shaken up. In the past software testing has sometimes been seen as a Cinderella service, employing those too junior or too dim to make it as a real programmer. After all, who wants to test features when you can have the job of creating cool new buttons?

In reality the profession of software testing has now established itself as a career path in its own right.

The ratio of testers to programmers is now 3:1. This has given Microsoft another headache as they try and recruit good testers with the technical and personal ability to winkle out software bugs. Lack of resources in the traditional heartlands of Redmond, WA, have lead to the off shoring of a lot of this work to Microsoft in India.

So has Microsoft got security right? The signs are looking promising and the organisational structure is now in place to deliver more secure products. The release of Vista will be a huge milestone for Microsoft, and they will be under the spotlight with more intensity than ever before. If they deliver a secure product then they will be well down the road to establishing themselves as a vendor of secure products.

If they fail then Microsoft will lose more than the sales of a new operating system. I for one will be keeping a very close eye on developments.