Microsoft Puts Meat Behind Security Push

Trustworthy Computing initiative to include an extension of Microsoft's developer training program and the possible development of additional stand-alone security products.

Although much of the hype surrounding Trustworthy Computing has subsided, Microsoft Corp. is quietly pushing the initiative ahead with behind-the-scenes efforts that include an extension of its developer training program and the possible development of additional stand-alone security products.

But while customers give Microsoft credit for its recent efforts, some said the company has much work to do before it reaches Chairman Bill Gates stated goal of making software as reliable as electrical power.

Among recent changes at Microsoft is the inclusion in every product group of a person responsible for the security of that products code. Although developers remain accountable for their code, the security liaison is accountable for the overall quality of the product.

Each product groups security representative, in turn, reports to their own group leader. Mike Nash, the vice president of the new security business unit, oversees the entire program.

The new organizational structure is part of an effort to ensure that customer feedback about security receives prompt attention, Nash said last week in an interview with eWeek.

"Our customers are telling us they not only want fewer vulnerabilities but also want us to make it easier for them to run our products in a secure way," Nash said. "When there are problems, were trying to reduce the amount of friction it takes to fix them."

For customers, a more tangible result of the Trustworthy Computing campaign is the new SUS (Software Update Service) patch management system. The SUS is a download that enables IT managers to set up their own Windows Update staging server inside their networks.

The server, released last week, polls the Windows Update site and displays a list of patches and hot fixes available for specified products. The administrator can then approve downloads, which are delivered to the SUS server. Client machines then check the SUS server on a regular basis and pull down the patches needed.