Microsoft strengthens its testing procedures

Microsoft has responded to concerns from IT directors and analysts over the security of its operating systems and software...

Microsoft has responded to concerns from IT directors and analysts over the security of its operating systems and software applications by strengthening its testing procedures and hiring more security specialists.

In an interview with Computer Weekly, Howard Schmidt, Microsoft's chief security officer, said the company has begun a major series of programmes to make its products more secure against hackers and virus attacks.

Microsoft's fightback follows criticism from IT consultancy Gartner Group, which suggested that companies should look into replacing Microsoft Internet Information Server (ISS) software with more secure server applications as a matter of urgency.

Gartner said the Nimda virus attacks last month demonstrated how easy it is to attack Web servers based on ISS, which has an estimated six million users worldwide.

"As far as the criticisms are concerned, we have been extremely responsive," said Schmidt. "There has been an increase in the security team on the ISS development. The additional resources are substantial."

Testing will be much more thorough before future products are released, said Schmidt. New software will be tested internally and by external security consultants to reduce the likelihood of vulnerabilities appearing that could be exploited by hackers.

Future software will also be designed so that it comes out of the box configured for the highest security. Users will have to intentionally change the settings if they want to use features that could make the system less secure.

Schmidt said he recognised the difficulties IT departments face in keeping up with the high volume of patches that Microsoft issues to repair security vulnerabilities. Microsoft is developing technology that will analyse systems, identify what patches are missing, and make it easier for systems administrators to update.

Microsoft said it is keen to work closely with its customers to identify how to improve software security. The company is sharing information on security risks with rival suppliers in the US, and has similar plans in the UK, said Schmidt.

"It will be a case of taking all the lessons we have learned and turning them into more secure products. That doesn't mean giving up on the features, but doing them more securely," he said.

Read more on Antivirus, firewall and IDS products