News

Microsoft Outlines Windows Security Strategy at DevCon

• By Matt Migliore
• 09/05/2002

According to Valentine, Microsoft has done everything it can to make sure its new server operating system, Windows .NET Server 2003, doesn’t fall victim to the same security holes that have plagued the product in the past. During his keynote, Valentine said Windows .NET Server represents a paradigm shift for Microsoft, in that it was “engineered for security.”

With previous versions of Windows Server, Valentine said security wasn’t a primary concern. “Originally,” he said, “the focus was getting people on the network, not keeping people off it.”

But, after a number of security holes in Microsoft’s popular IIS Web-serving software were exposed by worms and hit by virus attacks, Valentine said Redmond realized it needed to reassess its security strategy.

Microsoft’s newfound focus on security is part of the Trustworthy Computing model Bill Gates introduced in January of this year. It is comprised of four primary methodologies: Secure by Design, Secure by Default, Secure by Deployment and Communications.

The Secure by Design element of the strategy means Microsoft will make security the core focus during the development process. The Secure by Default element means Microsoft’s software will be installed defaulted to run in its most secure setting. And the Secure by Deployment and Communications elements mean Microsoft will be playing a more prominent role in security training, as well as a participant in industry-wide security efforts.

According to Microsoft, more that 8,500 of its employees have already undergone security training. And Valentine said security training is now mandatory for everybody in the Windows division.

In addition, Valentine said Microsoft has reviewed every line of code in the Windows product group for security flaws. And, he said, Microsoft plans to be more vigilant in distributing fixes to its customers as new flaws are found.

Still, Valentine was quick to point out that Microsoft isn’t the only reason for security lapses within the enterprise. Citing a recent analyst report, Valentine said the Microsoft platform was no worse than leading Linux or Unix systems in terms of security flaws. “We all suck,” he said.

Valentine said a long-term, industry-wide commitment is required in order to limit security breaches in IT. “[Security] is not something just Microsoft can solve,” he said. “There’s no end point to this problem. It’s an issue we all have to tackle.”

DevCon attendee Stephen Deasy, a software engineer with EMC, said he was impressed with some of the steps Microsoft has already taken to beef up security. He said, the developer training and code reviews have restored some of his confidence in the Windows platform. But, he said the most promising piece of Microsoft’s security strategy was that it seemed to be based on a unified vision.

“In the past, [Microsoft] relied too much on the different application groups to address security independently,” said Deasy. Now, he said, it appears they have a more coherent strategy for security across the entire product line.

Deasy is hopeful Microsoft’s new focus on security will mean less security patches. “It got to a point [after the Code Red virus] where they were losing us,” he said. “You can only release the number of security patches they were releasing for so long before you start to ask, ‘Is there a better security option out there?’”

Today, though, Microsoft seemed ready to put the past behind them. “Just remember,” said Valentine. “It’s all about security today, and as we move forward.”