Hardly Trustworthy

If only Microsoft could create secure software as easily as it leaks memos...

. What's this?

By

April 24, 2002CSO — Before delving into Microsofts epiphanic embrace of security, lets make something clear: Little if any important information leaks out of Redmond.

So when an internal memo from Bill Gates to his staff urging his minions to refocus on security finds its way into the newspaper, as it did in January, you can bet this is not a corporate communications oops. This is Public Relations.

Two months after Windows XP was exposed for having insecure, lazily crafted code, CIOs werent getting an inside glimpse at Microsoft saying our bad with the Gates memo. They were getting spin.

As PR goes, the Gates security memo was wildly successful. National media outlets rehashed the details with about as much scrutiny as a pro wrestling referee. They picked up on Microsofts brand name for the effort,

Trustworthy Computing, which Gates happened to include in the internal document. And Microsoft, which measures these things, probably saw a spike in consumer confidence about the company.

But theres no reason to deem Microsoft more trustworthy today than before Gatess memo. Even if Gates could by fiat make every new Microsoft product secure (and of course he cant), there are tens of millions of legacy systems that will live long into the future. Theyll continue to expose their owners and those who are networked to them, ensuring that the patch it-break it-patch it-break it cycle will live long into the future as well. This became extraordinarily clear earlier this month, when Microsoft released another patch for two-year-old Internet Information Server IIS 5.0. It covered nearly a dozen vulnerabilities that were as bad as they get, according to one security researcher who investigated the weaknesses. This one was really amazing, the researcher said, adding it was every administrators nightmare.

CIOs shouldnt suppose Microsoft developers will suddenly learn the fundamentals and intricacies of creating secure systems simply because Gates says he wants them to. In fact, our friend the security researcher (who asked to remain nameless because of business dealings with Microsoft) believes learning how to build secure systems will take years of training and redevelopment, not an epiphany from Gates. Some would even argue that without starting over and building security in from the start, products can never be secured. I dont think theyve gotten better [at] writing the code, the researcher says. Theyve switched to having outside people look at the code, and having internal teams do code reviews. At this point I think theyve realized how bad it is.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER