News

Users tell Microsoft not to rely on secrecy of code

Bill Goodwin
The chairman of the Jericho Forum, which represents the heads of security from FTSE businesses, has urged Microsoft to develop operating systems that do not rely on the secrecy of their source code to ensure security.

Speaking after the embarrassing leak of Windows 2000 and NT4 source code on to the web this month, David Lacey, chairman of the forum and director of security and risk management at the Post Office, said "security by obscurity" would not be an option for businesses in the future.

IT security will have to change radically over the next few years to allow businesses to communicate with suppliers and customers across potentially insecure public networks, said Lacey. This means moving security to the data level.

Just as businesses no longer rely on the secrecy of encryption algorithms to protect their data, software suppliers should not be reliant on the secrecy of their source code, Lacey said.

"Microsoft source code gets exposed to so many contractors and partners that there is always a risk it will come out at some point," he said. "Microsoft should design secure systems where it does not matter if it gets out."

Lacey said Microsoft deserved credit for taking the lead on security, but warned it had a long way to go before it reached the levels the industry was looking for.

Stuart Okin, UK security chief, said he agreed with Lacey's comments and Microsoft was already designing code capable of being widely shared without compromising security. "We absolutely firmly believe in Jericho's vision. It's about protecting the individual data items, rather than putting protection around your perimeter," he said. He added that the Windows source code leak would pose only a limited security risk.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy