- Lawrence M. Walsh
Microsoft's Mike Nash knows it's his ass if hackers make Swiss cheese of the forthcoming Windows Server 2003 and other future products. "A significant portion of that fleshy area will be gone," he jokes.
Handpicked to head up the newly created Security Business Unit (SBU), Nash is ultimately responsible for ensuring the success of Trustworthy Computing, Microsoft's massive campaign to secure its existing software and harden future releases.
"The vision of Trustworthy Computing is to deliver the same level of trust in our software as a public utility," says Nash, who has spent much of his nine years at Microsoft as a Windows marketing executive. "If you think about the service of a modern utility, you know you can depend on it. People's dependency on software is becoming like a modern utility and requires the same level of trustworthiness."
In the year since Microsoft founder Bill Gates anointed Trustworthy Computing, the company has spent more than $100 million, retrained 11,000 software developers and engineers, scrubbed countless lines of code, and applied basic and new security principles to the foundation of products under development.
"In this restructuring, there's been a great deal of discussion on what we should have been doing from early on. What's important is that we're doing it now," Nash says.
To the outside world, though, Microsoft's "security push" remains relatively invisible.
"I've seen a lot of lip service so far, but Microsoft still has a long way to go," says Ken Buszta, CISO for the city of Cincinnati. "We shouldn't have a product come out and then four days later have a major patch come out. I can't afford that."
Buszta isn't alone in his skepticism. A survey of 161 Information Security readers found mixed opinions about Trustworthy Computing, with 42 percent saying it might eventually lead to more secure Microsoft products. Conversely, 81 percent said none of Microsoft's efforts to date instills any confidence in its security (see Figures 1 and 2).
And that's the dilemma facing Microsoft as it presses forward. Trustworthy Computing not only must generate measurable strides toward more secure platforms, but also convince a skeptical IT community that "Microsoft security" isn't a laughable oxymoron.
Analysts say it could be three to five years before Trustworthy Computing bears fruit. Microsoft cautions that the initiative could take 10 to 15 years before reaching sustainable levels of acceptable security.
"When you look at it in terms of customer expectations, we know we need to do better, and we've made this investment," says Nash. "Trustworthy Computing is a journey. It's about earning people's trust over time."
Nimda changed everything at Microsoft.
Appearing just a week after the Sept. 11, 2001, terrorist attacks and exploiting many of the same vulnerabilities as Code Red had earlier that summer, Nimda ripped into Windows systems with a ferocity never before seen.
"Nimda shot through the roof," says George Roberts, an antivirus administrator at McDonald's Corp., which has 6,000 Windows workstations and servers. "It wasn't like we had one here and a half hour later another there. It was everywhere."
Nimda's direct impact didn't change Microsoft's attitude toward security. Rather, the worm's lingering aftereffects did. Fueled by heightened security awareness of the terrorist attacks, enterprise users were fed up. Meanwhile, industry analysts, such as Gartner Group's John Pescatore, started preaching the security virtues of non-Microsoft OSes--particularly Linux.
"The person who wrote Nimda should get some sort of Nobel Peace Prize for changing the way of infosec," says Patrick Heim, VP of information security at McKesson, an international supplier of health care management solutions with more than 23,000 employees.
This is the starting point for Trustworthy Computing.
"The motivation," says Nash, "is a response to the customers request and dependency on our software to be secure as [it] becomes more important for people and enterprises to run their lives."
The software giant had known for years that its security reputation ranked somewhere between Saddam Hussein's popularity rating and the Red Sox' chances of winning the World Series. And while Microsoft dutifully released security patches and service packs in response to a never-ending stream of vulnerabilities, it did little to fundamentally improve its security or foster the confidence of the infosecurity community. The user-friendliness, rich feature sets and market dominance of its OSes and applications allowed it to weather many a security storm.
"From an office suite perspective, they're unparalleled in the way they've integrated stuff on the desktop and made it easy to use," says Richard Lee Doty, president of Vertex Technology Management, an integration firm that caters to large enterprises and government agencies. "I haven't seen a whole lot from them that shows they want to work in a secure environment. Rather, they say, 'Here's how to make it work together, how to make it easy.' Easy doesn't necessarily make it secure."
Trustworthy Computing's primary objective is to change that.
The last time Microsoft made such a major philosophical shift was in 1996, when Gates made Internet connectivity the company's primary focus.
Generally, the IT and user communities are crediting Microsoft for finally addressing its security problem head on. Outright praise, though, is being withheld until the results of this effort are aired in public.
"They shouldn't be lauded for something everyone else had done for a long period of time," says Mary Ann Davidson, CSO at Oracle, one of Microsoft's chief rivals in the enterprise application market. "We shouldn't give them the Medal of Honor for trying to catch up."
The First Test
Trustworthy Computing's first test is Windows Server 2003, the replacement for Windows 2000 that's expected on the shelves sometime this spring.
Not only must Microsoft show a significant improvement in the OS's security; it must avoid an embarrassing repeat of what happened in 2001 when it released Windows XP, touted as the most secure Windows kernel ever.
We came to the realization, engineers didn't have an awareness of what things led to a security exposure. It took a year and a half to figure out how to communicate that to the development community."
Within weeks of XP's debut, hackers cracked the OS's antitheft protections, and researchers found the Universal Plug and Play (UPnP) vulnerability. (UPnP is a service that XP runs by default that automatically detects and configures connections to network devices, such as printers.) Both security problems, experts say, showed a serious weakness in Microsoft's quality control.
"It's Microsoft's flagship OS, which is supposed to be 'the most secure ever,' so this doesn't look too good for them," said Marc Maiffret, chief hacking officer at eEye Digital Security, in an interview with Information Security last year.
If Windows Server 2003 is to pass muster in the marketplace, Microsoft must convince people like Nan Smith, the cybersecurity program manager at Oak Ridge Associated Universities in Tennessee, that its commitment to security is real, not just more marketing spin.
"They're paying a lot more lip service to security than they are actually building into their code," Smith says. "Just the fact that they're throwing things out very quickly, throwing things out with a lot of holes in them, shows that they're not paying that close attention."
Microsoft may not have paid attention before, but it is now.
"Everything seems obvious in retrospect," says Craig Fiebig, general manager of SBU's product management group. "Could we have gotten here sooner? I wish. What's important is what we're doing now."
Security has been an integral part of Windows Server 2003 from its conception nearly three years ago. Microsoft applied past security lessons to make the replacement for Windows 2000 "more secure" than previous Windows generations, the company insists.
As evidence of its commitment to security, Microsoft points to the time last year when it suspended development of Windows Server 2003 to do an extensive security review. It found numerous design flaws and security problems--many fundamental in the coding. So, the company immediately started retrofitting.
Microsoft isn't making boisterous claims about the operating system's security. Nash and other executives say it will be "more secure" than previous versions, but nobody's guaranteeing that it will be bulletproof.
If nothing else, Windows Server 2003 represents a significant change in Microsoft's business philosophy and development process. For the first time in company history, concerns over security caused a delay in the ship date of an important product, and the OS will come out of the box with all services turned off by default--something security experts have called on for years.
"No product is signed off without a security review. It's absolutely a ship criteria," Nash says. "There are going to be vulnerabilities, but we'll eliminate as many as we can before [software] reaches the customer."
To ensure that happens, Microsoft first had to go back to the fundamentals: Retraining thousands of developers to build more robust, secure code.
Poor code quality and obvious vulnerabilities allowed hackers to make mincemeat out of Windows 95, 98 and NT. Doug Bayer, the longtime director of Windows Security, knew Microsoft had a problem and started working on fixes in 1998. It was too late to retrofit the existing OSes, so Bayer and his group focused on making the next generation more secure--XP and Windows 2000.
"We were coming to the conclusion that there was no silver bullet, no fundamental architectural change," Bayer says. "We came to the realization that engineers didn't have an awareness of what things led to a security exposure. It took us a year and a half to figure out how to communicate that to the larger Microsoft development community."
Initially, the biggest problem facing Microsoft's security teams was their lack of political support. Microsoft's business model of packing new software with new features made it difficult for Bayer and others like him to incorporate even fundamental security principles into products.
But Bayer did win a major battle, the need for training Microsoft's developers in secure coding techniques. By September 2001, Microsoft had filtered 2,500 developers and engineers through its security classes and started ratcheting up quality expectations.
The classes were based, in large part, on the book Writing Secure Code, coauthored by Michael Howard, a senior security program manager in the Secure Windows Initiative. Since joining Microsoft in 1993, Howard has been a staunch advocate of Microsoft security, resisting any suggestions that Windows can't be secured.
Ironically, Nimda was the saving grace for Bayer and Howard.
Virtually overnight, Nimda made security the top priority, and Gates and other top executives authorized last year's two-month stand-down from Windows development work. During what Microsoft calls "the security push," Microsoft rammed developers, engineers and business partners through a security boot camp, literally pounding fundamental secure coding principles into their heads.
The training program produced dramatic results, shifting Microsoft's culture.
"What was exciting is you could walk through the development buildings and you'd spot two developers chatting, talking about security issues, and that never happened before. It really stirred the issues and raised the mind-set," says Eric Schultze, a former member of the Trustworthy Computing team who now works for security tools maker Shavlik Technologies.
The stand-down was the foundation for months of behind-the-scenes work that's only now coming to fruition.
Microsoft spent the better part of last year reviewing existing code, revamping its security processes and incorporating security lessons learned over the years into its new "get secure, stay secure" paradigm.
The results were immediate.
Microsoft released service packs for XP (SP1) and Windows 2000 (SP3), correcting many known and publicly unknown vulnerabilities. It wrote automated tools to check for buffer overflows in software. And it changed basic configurations to make Windows and other applications more secure out of the box.
"It's been an amazing transformation," Howard says.
The trick, Microsoft insiders say, is sustaining this momentum.
Microsoft now requires all developers to take the secure coding class within three months of joining a product group. All coders are also held accountable for the security of their code. Although Microsoft declined to discuss personnel issues, some staffers indicated that developers have been disciplined and fired because of the poor quality of their work.
Security training is an important step, but some experts say it will only take Microsoft so far. Trustworthy Computing will be meaningless unless Microsoft addresses the way its software interacts with other applications, which often causes more security problems.
"Once you get past these implementation problems, and you get to the architectural level, that's where things get a bit trickier. That's where Microsoft will have to concentrate its effort next year," says Gary McGraw, CTO of Cigital, a provider of software security testing tools, and coauthor of Building Secure Software.
High Stakes for Failure
Microsoft is reluctant to admit that market pressures influenced its security epiphany, but the evidence is hard to ignore.
Trustworthy Computing is just as much about preserving market share by keeping disenfranchised customers in the fold and improving the company's reputation so it can grow in new markets--particularly the server-side enterprise market.
"If they didn't take a more serious approach to the security program, my posture would be to be more serious about finding an alternative," says Lance Braunstein, executive director of Morgan Stanley's Infrastructure Engineering for its retail division. "So, Microsoft's security initiative has been a big factor in keeping them in my data center."
While no one can touch Microsoft's desktop OSes or Office suite--virtually a requirement for computing in the contemporary business environment--other OSes and common applications are slowly eroding Microsoft's dominance.
Eighty percent of a recent survey of Information Security readers said that Microsoft's continuing security problems are causing them to look at alternates--such as Linux/Unix for operating systems, Apache for Web servers, Lotus Notes for e-mail and Netscape Communicator and Opera for Web browsers (see Figure 3).
"The enterprise market is one of the areas where Linux and Unix have had success, so Microsoft has to shore up its security to go head to head," says Gartner's Pescatore.
The survey echoes the growing resentment among enterprise customers, many of whom are exhausted by the resources required to secure their Microsoft networks and remediate them from breaches.
One of the more vocal critics is John Gilligan, CIO of the U.S. Air Force. With a $6 billion IT budget and more than 500,000 Windows workstations and servers, Gilligan was one of the first to use his purchasing power to call on Microsoft and other software vendors to produce more secure code.
"The issue that I was trying to put some attention on is the fact that software vendors, Microsoft being the largest, paid too little attention to the quality of their software," says Gilligan. "As the flaws in the software were discovered, I, as the consumer, and I, as the Air Force, was spending more manpower and money to get the patches and make sure they're installed."
What enterprises want is proof that Microsoft is truly committed to improving the quality of its code and the security of its applications.
"In the enterprise world, [Microsoft] has a long way to go to convince the rank and file that they've met their security needs," says Charles Kolodgy, an Internet security analyst at IDC. "I don't ever see Microsoft products being the most secure, but they'll be very functional. If you really want security, you're going to have to add something on to it."
SBU's Nash bristles at the suggestion that Microsoft security should be held to some ill-defined industry standard. "The bar with which we measure ourselves is one that compares us to the customer need, not to the competition," he says.
Yet, Nash and others can rattle off the top of their heads the number of vulnerabilities Windows has had last year compared to major competitors.
Through November, Nash recounts, XP has had 28 and Win2K 36 vulnerabilities compared to 53 for Linux. Shifting gears, he spits out numbers for other operating systems--68 for Sun, and 80 each for Red Hat and Mandrake.
"There's a change in the shape of our security," he says. "Is it a direct response to the work we've done? It's hard to precisely show the correspondence, but it's hard to dismiss the causal relationship."
"Our goal is zero vulnerabilities," Nash adds. "One is more than we want, but people are going to find things. The thing we want to look at is reducing the number they find."
Reducing the number of vulnerabilities is one thing, but critics say Microsoft's actions still speak louder than its marketing. For instance, the vulnerability reports Nash cites are accurate, but fail to take into account the security problems in other Microsoft applications, such as Internet Explorer and Outlook.
Further, Microsoft is fostering doubt about its ultimate goals. The company continues to support the nondisclosure of vulnerabilities, saying full, immediate disclosure opens enterprises to attack before software vendors have a chance to respond. It also asserts that closed-source software is more secure than open-source counterparts, and has commissioned reports that show Windows' higher performance and lower long-term costs than Linux. Pundits say this is evidence that Trustworthy Computing is merely marketing hype.
"This is a PR campaign, so the most important thing is fix the stuff that's currently deployed to end the PR nightmare," says Russ Cooper, editor of NTBugtraq and surgeon general of security assurance firm TruSecure (TruSecure publishes Information Security).
The less skeptical are convinced that security is a priority for Microsoft, at least for now. Gartner's Pescatore believes Microsoft will remain committed to security until the "next big thing" comes along. "We don't see that happening until at least 2005," he says.
But Microsoft says Trustworthy Computing is real and its goals have no expiration date. Nash fervently asserts the company's pledge to make gradual improvements with each new generation of software--Longhorn, the replacement for XP, and Yukon, the replacement for SQL, will be significantly more secure than even Windows Server 2003, he says.
Just what those improvements will be are undefined. Microsoft is purposefully ambiguous about the details of Trustworthy Computing. Tools are coming. New features are coming. Tighter code is coming. Better vulnerabilities reports and patches are coming. Ambiguity, some say, gives Microsoft flexibility, but also makes improvements difficult to measure.
Ultimately, Microsoft wants its software to follow three principles: Secure by design, secure by default and secure by deployment.
"We want continuous improvements in all three of these dimensions," says Nash. "There's going to be a security push for Longhorn; it's a part of the plan. The same thing is true for everything; security is a part of the process for every product that we ship forever."