We spoke with Steve Adler, a senior consultant with Microsoft, and the man responsible for the company's "Trustworthy Computing" initiative in EMEA, at Tech Ed, Microsoft's developer event in Barcelona during early July. Adler says that Microsoft's much publicised security initiative puts it ahead of the open source community.
"We need to lead the industry," said Adler. "We must lead a security initiative across the whole industry, to adopt a more secure mindset. If we want our customers to exploit the Internet to the full, we have to lead them."
He pointed out that trustworthiness is a wider issue than just security, "Trustworthiness means security, and also availability considerations. Things should work as advertised. We want to create an environment where people have the assurance that they can do things across the Internet that don't compromise their security."
To Adler, the battle is won already. "Microsoft customers are deploying .Net. The general public's perception of us has all the hallmarks of trust. We have a huge amount of trust."
He concedes that "we could have better product support and guidance." But thinks that people who don't accept Microsoft's role as a security leader are misguided or worse: "People who read Slashdot take things out of context. What do you do to change their opinions? You tell them the Earth is round, and they say it is flat."
Securing the technology
The technology itself is a major part of the initiative. One element is the Secure Windows Initiative, part of last year's Microsoft security push, the so-called "War on hostile code" launched in April 2001. "We are making sure the quality is as good as we can get it," said Adler. Under this year's regime, every product has a mandatory code review for security, which in the case of .Net server cost a well-publicised $100 million in delayed delivery "We've done a lot of work on the process, using peer review, design reviews and third party reviews," said Adler. Visual Studio .Net, for example was reviewed by California-based security specialist Foundstone, resulting in a new default security policy and was included in the Service Pack for Visual Studio .Net, released in May. Educating the users
But another major factor is simply locking down the products that exist, and educating users to think about security. "We are trying to give a more secure out-of-the-box experience," said Adler. "For example, on Windows servers, IIS is not installed by default." Putting the web server on by default made it easier for users to set up servers quickly, but meant that a lot of vulnerabilities (associated with active server pages, for example) are open on sites where people do not realise IIS is running. "You have to explicitly turn these features on now," said Adler. "We may cop some flak from companies if we make things harder to discover, but the benefit is people don't have compromised systems." The Windows Update tool, introduced in XP, was intended to ensure that user systems are given security updates automatically, but it didn't play well with enterprises, who did not want to hand over control of security updates to an outside operator. Microsoft has since set up a system for enterprise IT managers to receive and distribute software updates on their networks, having tested the patches work with their corporate systems: "The Software Update Service helps corporations to automate the patching process, and protect their systems." The nub of it, it seems, is making security usable -- presenting the issues so that the broad mass of users can understand and work with them, and operate securely. Other elements include courseware and certification -- "There will be a security related certification programme," said Adler. Palladium -- don't hold your breath
He was keen not to make any grandiose claims for Palladium, Microsoft's controversial proposal for a future secure architecture based on public key cryptography. "Palladium is a long term project, not something you can buy in the shops," he commented. "It is several years off." Critics of Palladium see it as a way for Microsoft to integrate software and hardware more closely and limit the software that will run on its systems, as well as introducing Digital Rights Management which will limit the ways content can be treated by the system -- in other words more to do with securing Microsoft revenues than user data. But Adler believes it will bring something new and less controversial. Ultimately, he expects Palladium to be routinely used to provide users with PCs that they automatically trust for such tasks as visiting bank sites for transactions. "Nowadays when you buy a car, it will have immobilisers but no steering lock. If you want a steering lock, you have to understand it, buy it and fit it yourself," he said. "There are a combination of things that allow us to improve the system." The milestones of the Trustworthy Computing initiative will be Service Pack 3 for Windows 2000 and Service Pack 1 for Windows XP, he said, as well as a revamp of several security tools, coming before the end of the year. In future the security aspect will not slow development: "There will be payoffs in future versions," he hoped. "We can back port things to previous versions, although patching will always be with us." But can you ever make a system completely secure? Surprisingly, Adler thinks you can, but only at the cost of functionality. "Once you reach a certain level of maturity, there are no exploits for hackers to take advantage of," he said. "If you stop adding features, you could go through and eliminate all vulnerabilities till the weaknesses are approximately zero." "However, there are always new problems to solve," he said. Applications have to deal with new demands, and so Microsoft, even if it swore off new features, would be forced to deliver them. Microsoft versus open source
When posed the question "Who is best, Microsoft or open source?" Adler replied "I like this debate. There are enough proof points to show that proprietary source code can be as secure as open source code." He noted that a recent bug in Apache was accompanied by public debate over whose job it was to fix it (perhaps not that different from what might happen inside a software company, of course). "Who will fix and distribute a patch?" he asked pointedly. "Who does the reviews of open source code?" "One proof point I would like to point out is this. The CERT [security watchdog] site has information about a buffer overflow bug in Kerberos [a widely used security software component]. The bug has just been found in code that has been in use for ten years." Other bugs have been found in DNS services. "This is important code," he said. "Where is the QA process? Just because code is available, there is no proof that someone has reviewed it." "We have a process in place to fix vulnerabilities," he said, indicating the Microsoft Security Response Centre, established for some years, (mailto:firstname.lastname@example.org). "It's open 24x7, and triages all the alerts it receives, so urgent calls get dealt with. It's like a Microsoft CERT -- it notifies CERT of any problems and their resolution." "If a user notifies us of a vulnerability and there are no fixes, it goes to engineering for a quick fix," he said. "Typically there is a patch out within 24 hours. We have a good process internally to respond to vulnerabilities and get patches out to the marketplace." With all this coming out of Microsoft's Redmond HQ, it is tempting to wonder if there is enough of a European angle to justify Adler's role, but he claims to have an active part to play in the future development of Microsoft's trustworthy computing push. "We look at EC digital signatures legislation, and how to comply with it. It's my responsibility to feed stuff back to the EC on meeting the requirements." Clearly, Adler can talk the Microsoft security talk, but can Microsoft walk the walk?