Scott Charney, chief security strategist at Microsoft, told developers at the TechEd 2003 conference in Brisbane that information collected by Dr Watson, the company's reporting tool, revealed that "half of all crashes in Windows are caused not by Microsoft code, but third-party code".
Charney's comments come as the company highlights the rigour with which it tests its own products before release. Microsoft emphasised that products such as Yukon and Exchange Server were undergoing thorough testing -- both internally and via independent third parties -- prior to their release.
The company is employing root-cause analysis and event-sequence analysis procedures to scrub out the creation of sloppy code. The result is that individual developers have a high degree of accountability for the code they produce, while the systems and processes associated with code development are rigorously monitored.
Root-cause analysis enables the company to check closely the work of individual developers. “If a developer has written vulnerable code, then we look at what else that developer has written and check it,” Charney said
Event-sequence analysis takes this further, analysing the reasons why the vulnerable code was written. Charney said it was not necessarily so they can sack whoever is writing vulnerable code, but to find out the reasons why, and help Microsoft to improve staff with training or more efficient processes.
As Charney made his remarks, Charles Sturt University announced they would be offering a Master of Information Systems Security degree including MCSE:Security industry certification.
Charney also reinforced Microsoft's message to developers and network administrators that they needed to build secure applications and networks "from the ground up".
The chief security strategist's remarks have come at an unfortunate time, as mainstream and niche media outlets produce heavy coverage of the impact of the MSBlast worm, which has infiltrated corporate and enterprise networks worldwide.