, Newsbytes 2002-01-17
Microsoft chairman Bill Gates tells employees that failing to make products less vulnerable to security breaches will jeopardize the firm's future.A shift in corporate strategy by Microsoft to emphasize security in its products could bomb with consumers and hurt the market for third-party security products and services, experts said today. But the sea change was necessary to save Microsoft's business in the long run, especially with corporate customers, they add.
The new emphasis on "Trustworthy Computing," announced in an e-mail to Microsoft employees Tuesday by Chairman Bill Gates, calls for the company to treat security as a top priority - even ahead of developing new product features.
"When we face a choice between adding features and resolving security issues, we need to choose security," wrote Gates in the memo, which he likened to his 1995 missive that galvanized the company around emerging Internet opportunities.
Microsoft's epiphany was regarded skeptically today by some security professionals who see it as a marketing ploy to energize sales of products such as its new Windows XP operating system and .NET software services.
"This seems like pure public relations to me. It's only words. Let's wait and see if there will be any real change," said Georgi Guninski, an independent security consultant who has discovered several flaws in Microsoft's products.
While the company's new emphasis on security may have been driven by a desire to boost sales, the shift goes deeper than public relations and will require major changes in the company, according to John Pescatore, research director for the Gartner consulting firm.
"This was driven in large part by the immense response from big corporate customers after Code Red and Nimda. The CEOs and CIOs of Microsoft's biggest accounts said, `This is killing us. We can not live this way,'" said Pescatore, who authored a report last September advising corporations to move away from Microsoft's Web server software because of its security problems.
To "walk the talk" on its new corporate strategy, Microsoft must shake up the culture of its product management groups in particular, Pescatore said.
"I think developers at Microsoft are open to this change, but product management still believes they can't sell software without adding new features," said Pescatore.
For example, in the company's Windows XP product, which shipped last fall and was touted for its improvements in security, product management "jammed in dangerous features like remote administration that should have raised all sorts of security red flags," said Pescatore.
"I'll believe they've changed when Microsoft starts proactively releasing advisories about vulnerabilities that they discovered themselves. Until then, it's purely talk," said Marc Maiffret, chief hacking officer for Eeye Digital Security, which recently found a severe security flaw in Windows XP and also identified the vulnerability exploited by the Code Red worm.
To help reset the corporation's priorities, Microsoft has created a centralized security group that reports high in the organization, according to Chris Wysopal, director of research and development for AtStake, a security consulting firm.
"This group is staffed with really good security people and has a significant budget. This is the first time Microsoft has a centralized security organization concerned with security during the development process," said Wysopal.
But such an organizational change may not manifest itself in actual products for at least 18 months, Gartner predicts. In the meantime, Microsoft's security emphasis may simply take the form of shipping software with security-threatening features turned off rather than enabled, as is the current practice.
Microsoft's new emphasis could create a period of uncertainty for the entire security marketplace. On the one hand, if Microsoft is able to ship significantly more secure products, it could mean a reduced need for anti-virus software and other amelioratives, Pescatore said.
On the other hand, Microsoft may respond to its security crisis by making it easier for third parties to develop security products that work with Windows, such as by publishing information on programming interfaces for the operating system, according to Pescatore.
Richard Forno, chief technology officer for information assurance provider ShadowLogic Corp., called on Microsoft to take that approach even further and publish the complete source code of Windows and other products.
"Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally developed products are indeed secure and trustworthy is to release the code to the security community at large for analysis," he said.
Even if Microsoft is able to clean up its act on security, there will still be plenty of work for information security professionals, according to Greg Shipley, chief technology officer for security consultancy Neohapsis.
"Today's organizations face an onslaught of information security problems - problems that involve a lot more then just Microsoft-based misery," said Shipley.
While it may be driven by a desire to prevent a market backlash, Microsoft's security initiative may not immediately strike a chord with consumers, Pescatore said.
"Microsoft is ahead of market demand on this. Consumers do not currently value security over features. But that is starting to change. Because of the Internet and publicity over bugs and viruses, security is starting to move up the priority list," he said.
Forno agreed that businesses are not the only customers demanding improvements in Microsoft's product security.
"Joe Public doesn't take kindly to security problems that impact his privacy, e-mail, or ability to conduct personal consumer transactions online," he said.
Reported by Newsbytes, http://www.newsbytes.com .