News
News
1/24/2003
08:36 AM
Connect Directly
RSS
E-Mail
50%
50%

Gates Pledges More Security Improvements

Microsoft chairman says his company's products will continue to improve as the vendor seeks to convince customers that Windows software is safe.

Microsoft has made headway in its Trustworthy Computing pledge, but chairman Bill Gates says it can do better.

In the latest of his monthly missives, part of Microsoft's ongoing executive E-mail public-relations campaign, Gates focused on what the company has done to deliver a more secure computing environment while admitting that more work lies ahead.

"While we've accomplished a lot in the past year, there is still more to do--at Microsoft and across the industry," Gates said.

Gates outlined the security initiative to Microsoft and its employees a year ago. Since then, he said, Microsoft has spent $200 million on improving Windows security and significantly more to bolster security for its other product lines.

In response to the better-security promise, Gates wrote, Microsoft has changed its development methodologies to integrate threat modeling into its design work. As part of that process, Microsoft put its Windows engineers through a 10-week security refresher to teach them to think like hackers and asked them to sniff through the Windows code for leaks and security problems.

"Fully one-half of all bugs identified during the Windows security push were found during threat analysis," he said.

The stakes are high, Gates wrote in his E-mail. "A secure computing platform has never been more important," he said. "Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated."

But the company's eye on security is paying dividends, Gates claimed. As evidence, he cites more secure products already released, such as Windows XP Service Pack 1 and Visual Studio .Net. Other programs scheduled for release during the first half of 2003 will also benefit, among them Windows Server 2003 (set for release in April), Office 11, and the next versions of SQL and Exchange Servers.

Among other efforts, Microsoft has changed the way programs' defaults are set. In the past, a feature was typically enabled if Microsoft thought there was any chance a customer might want to use it. Now, however, Microsoft "locks down" software by setting default options for the most secure environment.

Michael Cherry, an analyst with Decisions on Microsoft, an independent research firm that specializes in following Microsoft's moves, sees this approach as one of the best proofs that the company is serious about security.

"I like the work they've done," he says, "in particular locking down the software so Windows doesn't come with everything turned on."

Cherry points out that Microsoft's 3-D attack on security--the Ds standing for default, design, and deployment--shows that it's serious about addressing security concerns.

"In the design process, it used to be that engineers only sort of thought about security," he says. "No one was going to give you a hard time if your code didn't take security into consideration. Now you have to prove how your feature deals with security."

But like Gates, Cherry sees room for improvement. "It's frustrating to me that I have to go to two update sites, one for Office and another for Windows," he says. "I think Microsoft's security efforts will pay off tremendously for customers in the future, but it could do more to make our current pain go away."

Gates' E-mail follows the year's first critical security alert from Microsoft about vulnerabilities in Windows.

Even here, Cherry notes that the company has made improvements. A year ago, he says, it would often take as long as a week for a critical security alert to get a hot fix. "They've tightened the time frame," he says, adding that the time from alert to update is now well under 24 hours on average.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.