MS security chief: We are not stopping development

In an exclusive interview with ZDNet UK, Microsoft UK's first chief security officer explains the reality behind the hype of the company's widely reported security initiative

Microsoft has appointed a chief security officer for the UK as part of its efforts to build better protection from hackers and viruses into its market-dominating software. The appointment of Stuart Okin, an e-platform technology practice manager with Microsoft Services Organisation for five years, will be publicly announced within the next few days.

Okin's appointment comes at a critical time for the software giant, which is trying to build up momentum behind its security initiatives while winning the trust of consumers and large corporations for its new e-business framework, .Net.

Microsoft launched the development environment for .Net, Visual Studio .Net, earlier this week. Shortly afterwards a US security firm claimed to have found a security flaw with a .Net component. Microsoft has not yet acknowledged whether the flaw exists.

However, Okin criticised companies who go public with software flaws before they've been fixed. "Responsible bodies should be going back to the vendors with any security concerns first, giving them an opportunity to put a patch together before it is announced," Okin said. "We will listen, and we will examine anything that is brought to us."

In early February, Microsoft engaged in what it characterised as a major month-long security drive, putting its Windows developers, testers and programme managers through courses in secure programming and taking other measures to steep them in the principles of security. The initiative follows the publication of a company-wide email from Bill Gates last month, in which he called for employees to put security first, urging them to help the company make the .Net infrastructure a platform for trustworthy computing.

However, Okin says the month's events are really just the next step in a security drive begun last year with the introduction of Microsoft's Secure Windows Initiative.

"We're not stopping any developing. We are continuing to innovate and develop," Okin said. "This is just concentrating on making sure that security is there and that the quality bar is being raised... It's an evolution, if you like: we are now having a direct focus on this."

What with Okin's appointment as chief security officer for the UK also occurring this month, it would seem that the Microsoft publicity machine is keenly aware that the company needs to be seen to be taking action on security if .Net is going to succeed. But the activity isn't just skin-deep, he says.

"It isn't just a matter of Microsoft getting a better reputation. The proof will be in the pudding," Okin said.

Microsoft says it subjected Windows XP, Office XP and the .Net infrastructure to an intense degree of scrutiny before they were released, and Windows 2000 is now undergoing a review, the results of which will be incorporated into Service Pack 3 sometime this month.

Programmes like the Secure Windows Initiative and the Strategic Technology Protection Program (STPP), which aims to encourage security in enterprises, have won Microsoft good marks for effort, but the company is not yet able to claim to have reduced the scale of its security problems, as recent bugs and virus outbreaks attest.

Other projects have been received less warmly, like Microsoft's "Shared Source" programme, which is designed to emulate the success of open-source software at allowing customers to participate in fixing problems.

Shared Source, introduced last summer, enables participants to view select chunks of Microsoft source code, but not to modify it. Open source licences allow customers to modify code and redistribute it, as long as they make their modifications freely available to other developers.

Microsoft claims that Shared Source makes it easier for customers to spot and report security flaws, but open source advocates say that the inability to modify code renders Shared Source effectively useless.

In making its huge installed base of Windows software more secure, Microsoft is also limited by the willingness of consumers to upgrade their software with frequent patches. The recent MSN Messenger virus, for example, managed to spread despite the fact that a patch had already been released.

The process for applying new patches has been streamlined with Windows XP, but unless consumers are willing to surrender the process entirely to Microsoft, the choice will still fundamentally rest with users.

"People want to be able to control what's loaded on their machine, but there's also the need to protect the infrastructure," said Okin. "It's a difficult situation. There's no simple answer."

CNET News.com's Robert Lemos contributed to this report.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

See the Software News Section for the latest headlines on everything from peer to peer clients to Office software and beyond.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.