Microsoft Security Efforts Just the Beginning

CTO Craig Mundie says this year was spent addressing the company's major internal issues; the next year will be all about seeing whether that effort has paid off.

After a year of work on the Trustworthy Computing initiative, Microsoft Corp. executives say they are pleased with the progress the company has made thus far, but acknowledge that theyve only just scratched the surface of what needs to be done.

Although it didnt get much attention until Bill Gates wrote his famous call-to-arms memo on the subject in January, Microsoft Chief Technology Editor Craig Mundie first articulated the companys thoughts on improving hardware and software security at its Trusted Computing 2001 Forum last November in Silicon Valley. At the time, Mundie talked about a broad plan that would need industry and governmental cooperation to implement.

Since then, Microsoft has mainly concentrated its effort on fixing internal issues with its software development and privacy practices. The most visible example of this effort being the security stand-down, during which all of the developers went through training on how to write secure code. A comprehensive review of the Windows code base was done, as well.

And, every product that the Redmond, Wash., company ships now goes through a security review before it is released to manufacturers. All of this, Mundie says, is evidence of how seriously Microsoft is taking its security push.

"We really believe this is a thing that we have to face up to as a company," Mundie said in an interview with eWEEK this week. "A lot of good things have come to pass in this year. It really has become an initiative inside the company. There have been a lot of technical successes."

Among those, Mundie singled out the improved reliability and security of VisualStudio .Net and the success of the automated bug-reporting feature in Windows XP as particularly important.

"Weve been able to collect millions of problem reports that we wouldnt have had otherwise, or would have had a hard time getting," he said. "Having Windows Update, weve been able to improve products and make them more reliable. The last step for us was fully automating the updating of user machines."

Mundie says he thought that Microsofts efforts in Trustworthy Computing would spur other vendors to take similar action. No other major software vendor has announced a similar plan, although some, most notably Oracle Corp., have begun touting the security of their products as a selling point.

"Our hope has been that because weve been evangelizing for it quite publicly, that it will motivate other people," Mundie said. "I dont think much of that has happened yet. I believe as we make progress in this, that in itself will apply market pressures to other companies to come along.

"The reality is, its hard and expensive and forces you to make some really hard choices. And unless youre serious about it, you shouldnt talk much about it. I dont know if everyone is up for it."

Mundie also said that he believes the government needs to play a bigger role in preventing security incidents by passing stronger anti-hacking laws.

"A lot of the established equilibrium we have in the physical world doesnt exist in the cyberworld," he said. "We have ineffective legal deterrents. And globally we dont have the homogeneity of laws to make it work."

If much of the past year has been spent getting Microsoft employees used to the idea of Trustworthy Computing and addressing the companys major internal issues, the next year will be all about seeing whether that effort has paid off.

"A lot of the focus this year was retrospective with the remediation of products that were already mature. These were the early steps in a long-term journey to Trustworthy Computing," Mundie said. "Now were off to the races in finding a fundamental design that improves our products. This year there will be another wave of products that have been longer in the oven [under Trustworthy Computing]. Well start to see whether this is having a legitimate effect on the security of our products."