Microsofts Security Plan Gets Mixed Reviews

Microsoft's security plans for Windows and other products draw industry praise and criticism-as well as questions about its motives.

Microsoft Corp.s plan to add a slew of new security features and functionalities to Windows and other products is drawing a mix of public praise and criticism in the security community, even as many experts express private concerns about the companys motives and tactics.

The additions, which Microsoft Chairman and Chief Software Architect Bill Gates discussed at the RSA Conference here last week, include a range of improvements to the firewall in Windows XP as well as a plan to implement behavior-blocking and other dynamic security technology in the operating system. Microsoft will also add lightweight code-scanning tools in the next version of Visual Studio, code-named Whidbey.

All the moves come under yet another security umbrella from Microsoft called Active Protection, an extension of the companys Trustworthy Computing initiative.

Despite the positive direction, many experts at the conference were underwhelmed by Gates announcements.

"Security is not as exciting as the next cool thing in Windows," said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., in Cupertino, Calif. "[Gates] had an opportunity to wow us. I wanted to be wowed. I didnt want to hear about cool dialog boxes."

However, "its a big boat to turn around," Schneier said. "Give him some quarter for that. But hes had some time to turn about the boat. Security should be his bottom line."

/zimages/2/28571.gifTo find out what else Schneier had to say about Gates announcements, read "Security Guru Unmoved by Gates RSA Remarks."

Users also criticized the Redmond, Wash., company for what they see as a lack of innovation, and they said it will be years before the Active Protection capabilities are refined enough to be useful.

"This is the way they work," said a security manager from a large government agency who asked not to be identified. "They take things that other people have done, put them in their own products and then try to tell you theyre as good as the stuff thats already been out there for years. Its not going to suddenly make us think Windows is more secure or change the way we buy their stuff. But its probably bad news for a lot of security vendors."

Vendors and users point to Microsofts partnerships and relationships with companies such as Sanctum Inc. and TippingPoint Inc. as evidence of such activity. Microsoft and Sanctum have worked together for some time, and Sanctums AppScan DE solution is similar to the code-scanning tool in Microsofts Visual Studio enhancements.

Next page: Security vendors express concern.