Building Up the Trust

Microsoft's Trustworthy Computing campaign will get its first big test with the release of Windows Server 2003-the first product built from the ground up since the implementation of the security program.

Microsoft Corp. is stepping up its Trustworthy Computing efforts as it readies the release of Windows Server 2003—a product viewed by company executives and customers alike as a crucial test of the security programs effectiveness.

The server, due in April, is the first product from the Redmond, Wash., developer to be designed and built from the ground up since the implementation of the Trustworthy Computing campaign. As such, it will be an early indicator of the success or failure of the companys efforts to train developers in writing secure code.

"If Windows Server 2003 comes out and its as buggy as some other products have been, people will say that even when they put their resources behind it, they just cant do it," said Scott Charney, chief security strategist at Microsoft. "Theres an element of faith to it. If a lot of vulnerabilities are found in short order, that would be bad."

All the companys developers have now gone through at least a basic security course, and, as a result, Microsoft has begun holding developers personally responsible for vulnerabilities found in their code.

As part of the initiative, developers must sign every piece of code they write so that flaws can be easily traced back to the person who wrote the code, officials said.

"Were redefining at a higher level the role of developers," Charney said. "When we find a vulnerability, we find the person responsible for that part of the code. If you go and find that hes had [security] training and writes bad code and has had low performance reviews, well take action."

Customers give Microsoft credit for continuing to push forward on security and privacy, but some say the Trustworthy Computing plan is not without flaws.

"In my opinion, the biggest flaw in the Microsoft Trustworthy Computing initiative is the all Microsoft or nothing aspect of it," said John McGuire, a network engineer and security specialist at SBCS Inc., a software developer in Huntington, W.Va. "Any non-MS components reduce the effectiveness of it.

"I personally perceive that what they say they are doing and what they actually are doing may be two different things," McGuire said. "Microsoft is a marketing company that happens to build or buy and modify the software they market. I dont see that changing.

"Given all that, I think that they intend to make progress," McGuire added. "Well have to see if they prove they are any better this year than the last three."

Microsoft is also continuing to develop an internal scoring system to rate the security of each application. It is now considering tying the system to an online training program as well, officials said.

In this scenario, a developer conducting an assessment of an application would answer a series of questions after the development, such as whether a security code review of the application was done. If the answer is no, the developer could be taken directly to training materials explaining what a security code review is, how its done and why its valuable.

The idea is to use the results of the assessment immediately to improve the security of the product and the training level of the developer.

Another large part of this years Trustworthy Computing efforts will be concentrated on privacy. Richard Purcell, Microsofts chief privacy officer, is leaving the company at the end of March. Assuming that role will be Charney, who will add the privacy duties to his overall management of Trustworthy Computing.

A key goal: getting the level of training and awareness on privacy up to that of security in the minds of developers and others inside Microsoft.

"We really want to start deploying fair information practices in products so you have very clear choices on whats collected, how its used and why," Charney said. "We need to give people choices in how they handle data about themselves. The key is to identify things people want to control and provide controls for them to do that."

Ultimately, the success or failure of the massive initiative will greatly affect the way customers feel about the company in years to come. And that, executives said, will play a large part in determining the companys future direction.

"If were able to accomplish this, the trust bridge well have with our customers will be much stronger and deeper than anyone else has," said Susan Koehler, chief Trustworthy Computing strategist at Microsoft.

Microsoft officials said the Trustworthy Computing effort has cost the company more than $360 million to date, a number that doesnt take into account the threefold increase in the research and development budget for security.

  • Check out eWEEK.coms Security section
  • Check out eWEEK.coms Microsoft Security section