Microsoft Sounds Security Call

At TechEd 2003 in early June, Scott Charney, Microsoft's chief security strategist, said he is working to adapt the company's corporate culture to make patch application more uniform and rational.

"Microsoft today has eight different installer technologies. Some patches register with the operating system; some don't. Some patch DLLs; some [patch] binary code," he said. "Every patch should have an installer and an uninstaller,a way to back out of the fix gracefully if needed."

A whopping 95 percent of hacking exploits occur after patches are published, and Microsoft and others want to make patch application easier so companies don't wait to apply them. The infamous SQL Slammer worm, for example, wreaked its havoc shortly after a patch for it was made available.

To bolster security efforts, Microsoft at TechEd 2003 launched a Microsoft Certified Systems Administrator (MCSA) security specialist designation and an analogous certification for Microsoft Certified Systems Engineer (MCSE).

id
unit-1659132512259
type
Sponsored post

The MCSA security designation requires two exams in addition to the four existing MCSA core-skills tests. The MCSE certification adds three tests to the current certification requirements. The exams are available now.

Microsoft also unveiled a partnership with Mountain View, Calif.-based VeriSign to integrate VeriSign's Managed PKI Services with Windows Server 2003 to provide what the companies described as a next-generation public-key infrastructure (PKI) platform later this year. The platform aims to address enterprise security needs such as strong authentication for remote access, the companies said.

Microsoft clearly has something to prove when it comes to secure computing. At a recent Microsoft-hosted customer panel, several IT professionals acknowledged that the perceived vulnerability of Microsoft products has caused huge problems and that it really doesn't matter to a CEO if the snafus result from faulty software or from risky IT practices.

"It's Microsoft's fault, and it's our fault also," said Gafar Lawal, director of architecture at Merrill Lynch. "We were vulnerable [because] our process didn't handle the number of patches. We also took very seriously that our partner [Microsoft] had such a flaw in their code."