Locking Down Windows Live
"Eighty percent of the problems we find [in code reviews], we tell the development team, and they say, Youre not supposed to do that. They have to overcome that kind of natural optimism. Most developers believe software security is security software," McGraw said. Microsofts new on-demand products such as Windows Live and Office Live will undergo the same security reviews as the companys traditional client and server software. However, Microsoft is also planning changes to its Security Development Lifecycle program that address security issues in Web-based deployments, Howard said."[On demand] means a big shift in control," said Samir Kapuria, principal security strategist at Symantec, in Cupertino, Calif. "Enterprises have to rely on third parties to manage and maintain controls and privileges that were [previously] managed by in-house security." Youre the First Defense Despite that shift to more secure development, on-demand customers are still on the hook to comply with regulations regarding the handling of data, even though they do not control the information, Kapuria said. Microsoft hasnt decided where data for its Windows Live and Office Live services will reside. The answer to that question ultimately may hinge on the value of the data, Howard said. The company is currently vetting third-party hosting service providers for the Windows Live and Office Live services. Those providers will have to adhere to Microsofts standards for network and physical security. That includes everything from locks and cameras to properly trained administrative staff and well-established business continuity planning, Howard said. Microsoft also plans to use teams of "white hat" hackers to do penetration testing of hosting partners infrastructure before allowing the hosting partners to host Windows Live or Office Live, Howard said. Client machines are also a major security risk, adding to the difficulty of securing on-demand deployments, experts said. "Attacks on the client really worry me," said Howard. "Regardless of the [operating system], if you push [code] down to peoples desktops, bad guys can take advantage of that." Even low-tech hacks such as shoulder surfing are a threat to companies that keep reams of sensitive data on servers operated by companies such as Salesforce.com or PeopleSoft, said Cliff Bell, CIO of Phoenix Technologies, in Milpitas, Calif. Phoenix has developed and is testing a product that will use a Web services API with single-sign-on capabilities to allow companies that use Phoenixs secure BIOS software to generate trusted certificates for securely logging in to Salesforce.com. The software would require on-demand users to use an authorized laptop and provide a valid user identity and password to access Salesforce.com, Bell said. In the end, the biggest challenge for companies such as Microsoft that see their future in on-demand software may be getting customers to understand and be comfortable with the model. And, the current state of network and application security at most companies is poor enough to make it hard to imagine on-demand deployments being any worse, experts agree. "Eventually, your entire desktop will be on Googles servers, and youll just pay to use it on a monthly basis," said Sima. "All the security people scream and jump about that, saying that all your data is in one location ... but is that any worse than what we have today? Hell, no!" Senior Writer Ryan Naraine contributed to this report. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
However, improving developer education is only one part of the solution. On-demand companies also need to secure the networks of ASPs (application service providers) that deliver the applications to customers. For companies such as Microsoft, that means qualifying hosting service providers and even third-party device makers whose products might run services such as Windows Live, said Peter Boden, director of security risk management at Microsoft.