March 4, 2002 6:45 AM PST
Seeking signs of Microsoft security push
Microsoft has released some tools to help developers and customers add more security to their systems and has made much ado about retraining its developers during a security crash course that lasted all of February, but customers are waiting to see if the company has made a fundamental shift in philosophy, said Alan Paller, director of research for the Systems Administration Networking and Security (SANS) Institute.
"We have no data anywhere in the field about any (security) improvement on any product," he said. "That's not saying that nothing is better, but just that we can't judge yet."
On Thursday, Microsoft acknowledged that it wouldn't ship Windows .Net Server until the latter half of 2002. One of the reasons, a representative for the software titan said on Friday, was to allow the development team to further tighten security.
Other efforts also indicate that Microsoft is working to secure its products. In January and February, the company retrained more than 9,000 developers, product managers and testers in how to build security into their products. At the RSA Data Security conference last month, the company showed off a program to scan for known vulnerabilities in its products.
The initiatives follow a mid-January memo from Gates, Microsoft's chairman, exhorting employees to make the company's products more trustworthy and incorporate not just more security, but also more consumer-oriented handling of data. In the past, a similar message--sent out to redirect the company's energy to Internet development and to undermine Netscape's browser leadership--led to a fundamental shift in the Microsoft's strategy.
Another such shift may already be happening, said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security.
Maiffret maintained that a change in Microsoft's philosophy would be evident if the software giant released a string of advisories on security holes that it found itself. While such notices are generally bad for the company's image, he argued that notifying customers of any issues it patched would be showing that the company cared more about security than image.
Recently, the Redmond, Wash.-based company did just that.
"There was one advisory where they had found the flaw themselves," Maiffret said. "I don't know that one means that they are being that proactive. But if they continue to make (flaws) public, that could indicate that another fundamental shift is under way."
While the software giant's delay in releasing Windows .Net server could also indicate a shift, the SANS Institute's Paller stressed that there is no way to judge whether the company really is adding a lot of security to the server operating system or merely pulling off a good marketing maneuver.
"If I needed to delay a product, and I wanted to avoid negative PR, that's what I would say as well," he said.
In fact, for Microsoft--a company noted for its inability to keep a deadline--the excuse could be used often.
"I bet every delayed product this year will be due to security concerns," Paller said.