Published: 01 Mar 2002
Microsoft Chairman Bill Gates recently told his troops that it was time to learn about computer security. So 8,000 Microsoft systems programmers will march off to boot camp for a month of security training.
I'm glad to hear it. Viruses and worms--such as Code Red, Melissa, LoveLetter, Nimda and MyParty--have been wreaking havoc on the Internet. It's nice to know that, now that Windows XP is on the shelves, Microsoft is going to check it over for security flaws.
But security may be more difficult than my esteemed colleague expects. At Sun, we've spent 20 years building security into the box. Solaris, Sun's Unix-based operating system, was designed from day one for a multiuser environment, and security was a concern from the beginning. And when Sun developed its Java technology for automatically downloading executable code from the Web, security was a primary design requirement. To keep downloaded code from misbehaving, we designed in such groundbreaking language implementation technologies as code-safety verification and runtime security domains.
Security isn't an extra feature in some pull down menu, or an add-on application like a Web browser. It's a necessary, fundamental characteristic of the underlying operating system. Security has to be part and parcel of every design decision.
Security limits what you can do; that's the whole point. But for years, Microsoft's style has been to choose convenience over security. So when an e-mail attachment claims to be a JPEG photo, Microsoft's Internet Explorer opens it on demand for viewing. That's really cool until you unknowingly open a virus-laden executable program thinly disguised as a JPEG file. By then, it's too late. Other browsers, designed with security in mind, examine the attachment itself to see whether it's really a photo or malicious code before blindly executing it.
Another "convenience" is the recent case of Internet Explorer allowing a script in a Web page to access files on the local client. That makes scripts extremely versatile. It also allows a script loaded from one site to access cookies belonging to other sites. This enables "spoofing": one Web site can masquerade as another.
In a networked world, security is fundamental. It takes time and effort to get it right. And security needs to be built in from the beginning, not added in after the fact.
Bill Gates hit the nail on the head when he told his troops, "Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs." Trustworthy software requires, among other things, design integrity and a security model the user can understand, not patch after patch slapped on after the fact.
Editor's Note: Information Security offered Microsoft representatives equal space to respond to Mr. McNealy's column, but Microsoft declined, saying it may offer an opinion piece on security in the future.