Microsoft Puts Meat Behind Security Push | eWeek

Microsoft Puts Meat Behind Security Push

Écrit par
Dennis Fisher
Dennis Fisher
Sep 30, 2002
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Although much of the hype surrounding Trustworthy Computing has subsided, Microsoft Corp. is quietly pushing the initiative ahead with behind-the-scenes efforts that include an extension of its developer training program and the possible development of additional stand-alone security products.

But while customers give Microsoft credit for its recent efforts, some said the company has much work to do before it reaches Chairman Bill Gates stated goal of making software as reliable as electrical power.

Among recent changes at Microsoft is the inclusion in every product group of a person responsible for the security of that products code. Although developers remain accountable for their code, the security liaison is accountable for the overall quality of the product.

Each product groups security representative, in turn, reports to their own group leader. Mike Nash, the vice president of the new security business unit, oversees the entire program.

The new organizational structure is part of an effort to ensure that customer feedback about security receives prompt attention, Nash said last week in an interview with eWeek.

“Our customers are telling us they not only want fewer vulnerabilities but also want us to make it easier for them to run our products in a secure way,” Nash said. “When there are problems, were trying to reduce the amount of friction it takes to fix them.”

For customers, a more tangible result of the Trustworthy Computing campaign is the new SUS (Software Update Service) patch management system. The SUS is a download that enables IT managers to set up their own Windows Update staging server inside their networks.

The server, released last week, polls the Windows Update site and displays a list of patches and hot fixes available for specified products. The administrator can then approve downloads, which are delivered to the SUS server. Client machines then check the SUS server on a regular basis and pull down the patches needed.


Page Two

: Decent First Attempt”>

Users who have tested the technology say its a move in the right direction, but it has limitations.

“Its a decent first attempt but not great,” said Andrew Nielsen, a senior technologist with Raytheon Co. working on a contract at NASA Ames Research Center, in Moffett Field, Calif., who is finishing a SUS deployment. “Theres a lot of room for improvement. It is what it is. The reporting capabilities need some work, and I had some problems with the synchronization telling me updates were available after I had already approved them for download,” he said. “However, Im pretty confident that subsequent versions will be better.”

The SUS server cant roll out service packs, nor can it push updates through firewalls to “child” SUS servers set up in other locations, Nielsen said.

Microsofts early work on Trustworthy Computing included putting all its developers through a lengthy training course on writing secure code and undertaking a massive bug hunt in its millions of lines of Windows code. The effort had an immediate effect when the Redmond, Wash., company decided to delay the release of its key .Net Server family, as well as a beta of the new SQL Server, because of the ongoing security code review.

The security training for developers is an ongoing process, Microsofts Nash said, and all new developers must go through the program within 30 days of joining the company. Microsoft has also developed an internal tool, roughly analogous to the Unix-based Lint program, that looks at code constructs to find bugs and vulnerabilities.

Nash said the company is considering developing more security products as well to complement the Internet Security and Acceleration Server firewall it sells. But he declined to give details on which categories Microsoft might go after.

“If Microsoft were to do that, it would be in an area where we have unique capabilities,” Nash said.

The Trustworthy Computing initiative has also brought about a major shift in priorities at Microsoft with regard to the way the company deals with customer feedback, Nash said. Gone are the days when features and functionality held sway over all other considerations in product development.

“Responding to customer security issues is the most important thing we do,” Nash said. “Its a change. Its a clarifying thing, and its a cultural change.”

Editors note: This story has been edited to clarify the structure of Microsofts security business unit.

Related Stories:

  • Microsoft Security Under Fire
  • Microsoft to Boost Security Response
  • Microsoft Shelled Out Millions on Security
  • Trusting in Microsoft
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.