NYTimes.com Article: Microsoft Programmers Focus on Secure Software

khare@w3.org khare@w3.org
Tue, 9 Apr 2002 04:43:37 -0700 (PDT)

This article from NYTimes.com 
has been sent to you by khare@w3.org.

I spy a pair of FoRKs in the Times!

See the article for a quote from Roy at the end; see the online version for a photo of what I'll swear to be one Brian LaMacchia ... good work by Markoff, though off of his usual standard of explaining the actual issues and risks involved, and implications for competitors in the market. Not to mention how many of the new risks are emergent, the results of combinations of components and services that seem secure separately (as with many of the Outlook/DHTML interactions). 



/-------------------- advertisement -----------------------\

Enjoy new investment freedom!

Get the tools you need to successfully manage your portfolio
from CSFBdirect.  Start with award-winning research.  Then
add access to round-the-clock customer service from
Series-7 trained representatives.  Open an account today and
receive a $100 credit!



Microsoft Programmers Focus on Secure Software

April 8, 2002 



REDMOND, Wash., April 4 - On this sprawling corporate
campus that is the heartland of personal computing, 9,000
elite Microsoft (news/quote) employees have gone back to

Stung by a chorus of critics who said that its software
code was increasingly buggy and vulnerable to attack,
Microsoft began sending its programmers to a special course
in writing secure software. And it ordered them to stop
creating new programs until they had painstakingly
re-examined the millions of lines of Windows operating
system software for potential vulnerabilities. 

Two months later, Microsoft is still re-examining its code
and its attitudes toward software development. 

The shift in focus began early in February, when the
company held a dozen half-day training sessions for its
programmers, about 1,000 at a time. 

Members of the select group initially showed some
resistance to the process, but in the end the experience of
seeing offending snippets of code on a giant screen in a
large auditorium proved humbling, said Michael Howard, the
Microsoft security expert who prepared the training
material for the company's security retraining and led the
security classes. 

"Geeks like learning new things, and when they pop out at
the end of the process they're entirely brainwashed," he

The enforced period of corporate self-reflection was
initially supposed to last through February. But it has
stretched through a second month and is only now nearing

The company insists that its campaign to create a more
trustworthy computing system will not really end but
instead will continue as a deep shift in attitude that
Microsoft hopes will permeate the work practices of its
programming corps. 

In a memo in January, Bill Gates, the chairman and
co-founder, instructed Microsoft to shift its top priority
from adding new features to ensuring that software is
secure. Executives said that the memo was the most
significant strategy paper from Mr. Gates since one in
December 1995, "Internet Tidal Wave." 

Some of Microsoft's rivals and some independent security
experts have greeted the shift in strategy with skepticism.

"I think that the reason that people are upset with them is
the perception that Microsoft will always choose the extra
feature, begging the issue of whether that feature is
actually of high value to the user and damning the security
impact it might represent to all users," said Rebecca Bace,
president of Infidel, a security consulting practice. 

Microsoft insists that such thinking represented the old
Microsoft. In interviews, several of its key program
managers warned that underestimating Microsoft's ability to
meet the computer security challenge might be as foolhardy
as was misjudging its ability to turn itself into a
dominant Internet player. 

"Microsoft has always had a crisis-driven mentality," said
Mr. Howard, the security expert. "You have my word: we will
lead the industry in delivering secure software." 

It will not be an easy challenge to meet, industry
executives said. Microsoft has come to dominate the
computer industry in part by rapidly adding a seemingly
unending stream of new features to its products. To deliver
on its intent, it will have to consider more carefully the
trade-offs between new features and security. 

Facing the security challenge also conflicts directly with
the "easy to use" goals that have until now been the mantra
of personal computer software designers. Easy to use
frequently also means easy to hack, Microsoft's programmers

Moreover, in its effort to dominate the Internet of the
future, Microsoft is about to propel itself into a
fundamental new and more complex computing era, which it
calls .Net. The new computing generation will be defined by
the ability to build programs that span tens or even
hundreds of computers linked together by the Internet. Such
a distributed computing design will present complex new
security challenges that have largely not been conquered by
the computer security world. 

It was the onset of the brave new world of distributed
computing that drove Microsoft to the drastic measures it
took in stopping the writing of new programs while it
reviewed its existing software. 

Its software security leaders, including Mr. Howard and
Doug Bayer, the director of the Windows Security Group, say
that Microsoft was forced to re-evaluate its security
position in a fundamental way after its software was struck
last year by two malicious computer worms, named Code Red
and Nimbda. 

Corporate customers were furious, and Microsoft realized
that it must act to avoid losing confidence and business. 

Mr. Bayer, who was trained as a physicist and works in a
cramped office with six computers and a small statue of the
cartoon character Dilbert, said that Microsoft had already
been finding its way toward improving its security when the
worms hit last year. 

"A significant number of our customers got hit," he said.
Microsoft, in a post-mortem of the attacks, discovered that
highly protected corporate data centers had generally not
been infected. Many corporations, however, had added "rogue
servers," machines that were informally installed by
corporate departments. Inexperienced computer users
frequently misconfigured those machines. 

"The default had been to make it easy to use," he said.
"Now we realize the right thing is to make it secure right
out of the box." 

At the end of last year, the company began to accelerate
its security push while it delayed the introduction of an
important new programming tool called Visual Studio .Net so
it could review the code for security problems. Not only do
small teams reread the original programmers' instructions
looking for flaws, but a variety of automated programs also
look for security flaws that might be missed by human eyes.

Whether thousands of Microsoft's eyeballs will make a
difference is a question that is hotly debated in the
computer industry. Advocates of open-source software, in
which the original programmers' instructions are freely
distributed, have long argued that Microsoft's proprietary
software secrecy is the company's Achilles' heel. 

The development process at Microsoft encourages individuals
under deadline pressure to make large changes in products
without adequate peer review, said Roy Fielding, chief
scientist at Day Software and an open-source developer. Dr.
Fielding said he worried that Microsoft was examining its
Windows code in mass reviews in which the participants were
likely to fall asleep after looking at the first hundred
lines of code. 

Steven B. Lipner, Microsoft's director of security
assurance, responded, saying: "I'd be astonished if the
open-source community has in total done as many man-years
of computer security code reviews as we have done in the
last two months." 


For information on advertising in e-mail newsletters 
or other creative advertising opportunities with The 
New York Times on the Web, please contact
onlinesales@nytimes.com or visit our online media 
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to 

Copyright 2002 The New York Times Company