Microsoft earns security badge

But that's precisely what happened when Microsoft announced on October 29 that its Windows 2000 Pro software line had received the so-called Common Criteria certification, an internationally recognized standard for secure design and implementation of info-tech products. Fourteen Western countries are now signatories of the Common Criteria, which is widely considered the gold standard of security certifications, the big kahuna that carries the most weight.

Does this mean Microsoft is really serious about security? At the risk of getting flamed by all the Redmond-haters out there, I would have to say yes. The fact that the software giant is even willing to undergo these types of invasive and costly audits illustrates that the old days of freehand coding and willy-nilly programming with little real structure or methodology are gone for good.

And unlike most software companies, Microsoft actually has a line item for security engineers and security-testing costs in its budgets. "We have spent a lot of people's time and effort and money, and actually made changes to the product to ensure that customers would have a secure platform and that there would be independent third-party validation," says Steve Lipner, Microsoft's director of security assurance.

Work to do
That said, achieving Common Criteria is really just a starting point to building secure software. Witness Microsoft's revelation on October 30 of three more security flaws (one ranked critical) in its Windows operating system--including a security system that passed Common Criteria--just a day after its triumphal certification announcement. CIOs and tech managers should understand that even Common Criteria certification doesn't require a line-by-line code review and, as Microsoft freely admits, provides no assurances that software will be free of security flaws. Persistent findings of new holes in Microsoft products mean it still has lots of work to do in making sure its code is rock-solid.

The Common Criteria standards arose from international efforts in the 1980s to define security guidelines for IT products and create internationally accepted ways to test and certify security. Seven Common Criteria evaluation levels are now recognized. The various involved parties, such as the U.S. National Institute of Standards & Testing (NIST), have agreed on commercial testing criteria for only the first four levels (no widely available commercial product has obtained a fifth-level certification). The criteria range from basic functional testing of security at the first level to more extensive code and methodology review at the fourth level.

The most rigorous evaluation level that can be tested now by commercial labs, Evaluation Assurance Level 4 (EAL4), is required by the U.S. government for any IT equipment and software that handles sensitive but nonclassified information. Microsoft passed muster for this highest level with independent third-party testing lab Science Applications International Corp. (SAIC).

Three-year effort
Microsoft received Common Criteria EAL4 certification for Windows 2000 but only for versions that have been augmented by software Service Pack 3 (the third big update to Windows 2000) and not previous versions. To receive the certification, SAIC tested Windows 2000 cryptography modules, directory systems, file systems, access-control systems, and just about every other software component pertaining to security.

One important point: Lipner says the software configurations Microsoft submitted for Common Criteria aren't tweaked to maximize security at the expense of usability, a common tactic for companies trying to pass Common Criteria with so-called "government versions" of their software. "What we offered was absolutely a standard, commercial version" with some minor lock-down modifications, says Lipner.

Getting Common Criteria took three years of work by hundreds of engineers and cost millions of dollars for Microsoft, which had to make extensive code revisions along the way. "We are determined to not merely say we are building secure products but to also let people look at our code and our practices and provide external assurance," says Lipner.

Real evidence
Even some of Gates & Co.'s harshest critics would agree. In September, 2001, tech consultancy Gartner Group told its clients to stop running Microsoft's IIS (Internet Information Systems) Web server due to security problems. Flash forward a year, and Gartner analyst John Pescatore says Microsoft has fixed most of the bugs in IIS. "I believe Microsoft actually has gotten serious about security. I've seen real evidence of real changes in how Microsoft product managers emphasize security over product features. That's the key issue," says Pescatore.

He has also been impressed by what he has seen in security considerations for versions of Microsoft's .Net Server 2003, a piece of software designed to deliver services that help link Web sites and sync data between disparate systems. "For the past year and a half, I believe Microsoft deserves an A for effort, given the complexity of their software and their efforts at addressing problems. Unfortunately, they are very poor in public outreach activities," says Pete Lindstrom, research director for Spire Security, a consultancy in Malvern, Pa.

Effort and progress aside, no one--even Lipner--claims Microsoft is even close to bug-free code. "I am not one of the many Microsoft bashers out there," says Lindstrom, "but it seems pretty clear that many people would not put Windows 2000 on their 'most secure operating system' list." And according to a report released on October 31 by British computer-security consultant mi2g, 44 percent of the known software vulnerabilities announced in 2002 affected Microsoft Windows, compared to 19 percent affecting Linux.

Just one yardstick
That's proportionally less than Microsoft's share of the computing infrastructure but still high enough to warrant concern. The sizeable bug count also illustrates the limits of using Common Criteria as the sole yardstick of security. "The Common Criteria is a framework for security evaluations. It is not a level of security. It's like saying 'my child graduated' without knowing if it was from kindergarten or university. An average CIO does not know that," says Bruce Schneier, chief technology officer of Internet security-monitoring firm Counterpane Internet Security.

The upshot? Hats off to Redmond for taking steps to make security a real part of its software construction process. Now, fewer bugs, please.

Microsoft Earns a Security Merit Badge
First published on November 5, 2002
By Alex Salkever

Do think Microsoft is truly on the road to more secure software? TalkBack below or e-mail us with your thoughts.