Gates Pledges More Security Improvements - InformationWeek
08:36 AM

Gates Pledges More Security Improvements

Microsoft chairman says his company's products will continue to improve as the vendor seeks to convince customers that Windows software is safe.

Microsoft has made headway in its Trustworthy Computing pledge, but chairman Bill Gates says it can do better.

In the latest of his monthly missives, part of Microsoft's ongoing executive E-mail public-relations campaign, Gates focused on what the company has done to deliver a more secure computing environment while admitting that more work lies ahead.

"While we've accomplished a lot in the past year, there is still more to do--at Microsoft and across the industry," Gates said.

Gates outlined the security initiative to Microsoft and its employees a year ago. Since then, he said, Microsoft has spent $200 million on improving Windows security and significantly more to bolster security for its other product lines.

In response to the better-security promise, Gates wrote, Microsoft has changed its development methodologies to integrate threat modeling into its design work. As part of that process, Microsoft put its Windows engineers through a 10-week security refresher to teach them to think like hackers and asked them to sniff through the Windows code for leaks and security problems.

"Fully one-half of all bugs identified during the Windows security push were found during threat analysis," he said.

The stakes are high, Gates wrote in his E-mail. "A secure computing platform has never been more important," he said. "Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated."

But the company's eye on security is paying dividends, Gates claimed. As evidence, he cites more secure products already released, such as Windows XP Service Pack 1 and Visual Studio .Net. Other programs scheduled for release during the first half of 2003 will also benefit, among them Windows Server 2003 (set for release in April), Office 11, and the next versions of SQL and Exchange Servers.

Among other efforts, Microsoft has changed the way programs' defaults are set. In the past, a feature was typically enabled if Microsoft thought there was any chance a customer might want to use it. Now, however, Microsoft "locks down" software by setting default options for the most secure environment.

Michael Cherry, an analyst with Decisions on Microsoft, an independent research firm that specializes in following Microsoft's moves, sees this approach as one of the best proofs that the company is serious about security.

"I like the work they've done," he says, "in particular locking down the software so Windows doesn't come with everything turned on."

Cherry points out that Microsoft's 3-D attack on security--the Ds standing for default, design, and deployment--shows that it's serious about addressing security concerns.

"In the design process, it used to be that engineers only sort of thought about security," he says. "No one was going to give you a hard time if your code didn't take security into consideration. Now you have to prove how your feature deals with security."

But like Gates, Cherry sees room for improvement. "It's frustrating to me that I have to go to two update sites, one for Office and another for Windows," he says. "I think Microsoft's security efforts will pay off tremendously for customers in the future, but it could do more to make our current pain go away."

Gates' E-mail follows the year's first critical security alert from Microsoft about vulnerabilities in Windows.

Even here, Cherry notes that the company has made improvements. A year ago, he says, it would often take as long as a week for a critical security alert to get a hot fix. "They've tightened the time frame," he says, adding that the time from alert to update is now well under 24 hours on average.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll