ANALYSIS: Trust me I'm a developer

Posted on 10 Mar 2003 at 10:40

What a difference a year makes, or so the saying goes. It's a maxim that can be applied to many IT issues, but what about Microsoft's push to develop Trustworthy Computing? Even the software giant itself would urge caution.

It announced the campaign in early 2002 amid much scepticism - the focus seemed to remain on Microsoft's past transgressions rather than its future assurances. And with security breaches in IE, and more recently SQL Server 2000, continuing to reveal themselves, Microsoft's 'security, security, security' pledge has been reported by some as an empty promise.

But anyone expecting an immediate solution to the holes in the world's IT infrastructure may have been a little naive. Analysts have backed Microsoft's early attempts to turn around a corporate culture of functionality over security, warning that a complete solution is years away and that nobody will ever be able to claim a 100 per cent IT defence.

'We're in for the long haul. Anybody who expected Trustworthy Computing to solve all the ills of the computing world overnight is in cloud cuckoo land,' said Chris Potter, partner at PricewaterhouseCoopers. 'First, developers often don't have a good appreciation of what security is all about.'

Microsoft's first step was to right this wrong. It spent $100 million (£63m) on security training for the Windows development team last year, in a code-writing push that affected 9,000 developers and originally fell under the Palladium banner (now remained 'next-generation secure computing base') for a trustworthy environment. Those working on Exchange, SQL Server and various other teams were also targeted.

'We did a security freeze and stopped the development of various products when Bill Gates sent his [Trustworthy Computing] memo a year ago,' said Stuart Okin, Microsoft's chief security officer in the UK. 'It affected every developer and program manager in the company.'

But Microsoft's commitment to the Trustworthy Computing campaign could never be substantiated by a year-long exercise in staff training - the company itself admits it could take up to 15 years until the plan is completed.

The next step, according to Okin, is to institutionalise and 'methodologise' the creation of secure code, so that it becomes just a part of the way the company develops applications.
This year will also see the company work on the consistency with which it delivers patches to customers, admitting that security updates have posed problems for users before.

'We've still got some problems within the product groups,' said Okin. 'For example, we have six or seven different installers for installing patches. This has to come down to two in the next year and ultimately one. We have to be consistent to ensure they all store information in the same place and uninstall in the same way.'

Microsoft also plans to take security patches through beta programs to ensure that a piece of code doesn't destabilise other applications, while an increased focus on usability will attempt to take the fear factor out of fiddling with security settings and the nuisance associated with downloading critical updates.

This is the one area in which Microsoft's hands may be tied. The need to keep patches up to date has been well documented, but the difficulty is ensuring users keep their end of the bargain. This meant Microsoft chief security officer Craig Mundie's quip that it would be beneficial to force users to download patches was given credence by some in the industry.