Security steps may delay products

A recent pledge by Microsoft chairman Bill Gates to increase security in the company's software may result in greater delays in...

A recent pledge by Microsoft chairman Bill Gates to increase security in the company's software may result in greater delays in the release of future products.

To do a full security assessment of the Windows operating system alone would take Microsoft a long time.

Jason Matusow, Microsoft's shared source initiative product manager, said, "We are going through the common criteria evaluation of Windows 2000.

"This involves very time-consuming and expensive test processes. To undertake a total security review of the Windows source [code] base would take an incredibly long time and is best left to Microsoft."

The "common criteria for IT evaluation" is a certification process defined by the US National Institute of Standards and Technology.

This forms part of Microsoft's efforts to tighten security and improve its image in the wake of damaging hacker attacks, a project which has no timetable and is only described as being ongoing.

At present the company seems to be occupied with closing obvious security vulnerabilities by using automatic security testing software packages, Prefix and Prefast, which the company bought last year and says it has extended and improved.

These products automatically flag flaws in programming practice but Gunter Ollmann, a principal consultant at Internet Security Systems, feels that this may not be enough.

"It's a daunting task," he said. "To go into greater detail beyond auto-detection would take longer than most companies would be willing to tolerate."

Stuart Okin, chief security officer for Microsoft UK, believes that much has already been done to improve security but that Microsoft alone is not the key to secure systems.

"The sum total of Gates' e-mail to the entire company is that security should take priority over features [functionality]," Okin said, "but the initiative goes beyond Microsoft to include our partners and the industry at large.

"We cannot be held responsible for all security problems," he added.

Okin would not comment on whether the security directive will delay products, such as the 64-bit Windows .net operating system, due to be released later this year.

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close