Microsoft: Security Is An Industrywide Problem


Microsoft is working hard to secure its products, but security is an industrywide problem that is tough to solve.

That was the message Craig Mundie, Microsoft CTO of advanced strategies and policy, gave in a keynote Wednesday at the RSA Conference here.

"There's nothing we or others can do to fire a silver bullet at this problem," he said. "For all of us, this cycle [of security threats has no end."

Mundie reiterated the steps Microsoft is taking to boost the security of its products, including changing coding practices, training developers in best security practices and including security by default.

Last month, in a well-publicized companywide memo, Microsoft Chairman and Chief Software Architect Bill Gates directed employees to make security a priority rather than just a feature in product development.

While Microsoft may beef up security and make it easier for customers to deploy patches, security is an industrywide problem and cyber threats continue to grow exponentially, Mundie said.

Computing is becoming more and more complex, an environment that malicious code can exploit, he said. "People are losing ground to the machines."

Another problem is that while Microsoft makes improvements on its new products, those new versions make up only a small part of the installed base of computers, he said.

"One of our big questions is how far back to stretch," he said.

Improving security will require new development, testing and auditing tools, and hardware and networking improvements such as better failover and redundancy, he said.

Errol Weiss, vice president of the Mid-Atlantic region at New York-based security-services firm Predictive Systems, said Microsoft's security initiative is admirable but added that "people and processes" are the root of security problems rather than insecure applications. Plus, he said the Internet was created by researchers and not built to be secure.

"I know I have other problems to worry about" than the operating system, he said.