Microsoft's Security Plan


Microsoft is making progress in its much-publicized Trustworthy Computing initiative, but making software more secure is a long-term process, said the company's new chief security strategist.

"Trustworthy Computing is a long-term goal. But we're already doing things we could describe in a different way by calling it SBD: Secure by design, secure by default and secure by deployment," said Scott Charney, the former federal prosecutor and PricewaterhouseCoopers cybercrime expert who joined Microsoft in April.

The Trustworthy Computing initiative was instituted earlier this year after Microsoft Chairman and Chief Software Architect Bill Gates told employees to make security a priority over new features in product development.

Sending 7,000 Windows programmers "back to school" for security training and building tools to look for buffer overruns are two things Microsoft has done to support its goal, he said.

In addition, Microsoft is working to secure its products by default, Charney said, citing version 6 of Internet Information Services (IIS) as an example because it ships with features turned off.

"It used to be we shipped products with all the bells and whistles enabled," he said. "[But by having everything turned on, you had a lot of things running that you might not be paying attention to and might represent a security risk."

Charney also said he is looking at ways to streamline releases of Microsoft's security patches. "We need to do patch management better," he said. "That's part of security usability."

Rex Frank, CTO at Alvaka Networks, Huntington Beach, Calif., said he is optimistic that Microsoft will follow through on its security initiative. "They've taken so much bad press that they have no choice but to commit to it," Frank said.

Jerry Freese, director of intelligence at Vigilinx, Parsippany, N.J., said Microsoft has a big job to accomplish. "I think they are sincere, but I don't know what the extent of their success will be," he said.