Flaws are inevitable, Microsoft strategist warns

Microsoft chief security strategist Scott Charney has told a US committee that a robust security-response capability and...

Microsoft chief security strategist Scott Charney has told a US committee that a robust security-response capability and effective risk management are critical because software vulnerabilities are unavoidable, regardless of the type of operating system used.

Charney appeared before the House Armed Services Committee at a hearing on cyberterrorism and the risks to national security and Department of Defense operations.

His appearance came approximately a month after the Department of Homeland Security signed a $90m enterprise contract with Microsoft covering server and desktop software for some 140,000 users, and a week after the company announced a critical security flaw affecting nearly every version of the Windows operating system - including Windows Server 2003.

News of that deal led some experts to warn that the new agency had made itself a hostage to flawed Microsoft security practices. Others expressed concern about the US government's reliance on a single supplier for most of its software infrastructure.

Charney acknowledged that there are valid arguments to be made on both sides of the single-vendor issue. "The advantage of a homogeneous environment is that it's much easier to manage," he said. "When you run a lot of different software in the same environment, you need different expertise, and sometimes connecting those different systems raises its own vulnerability."

On the other hand, said Charney, relying on a single software supplier could mean that a vulnerability or security incident affecting one product could have broader implications for the rest of the organisation.

Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University, agreed with Charney about the advantages, although he warned that there are hidden dangers in standardising on a single platform.

Not giving users the proper training for such an environment can be the equivalent of giving each individual an automatic weapon, said Spafford. "As a result, any one of them becomes a potential launching point for a problem.

"Until we get to the point where we have the appropriate training and safeguards in place for every one of those individuals, and the reach of what they do is limited, it is perhaps better to have some partitions in place that may be brought about by different vendors and different platforms," he added.

Charney also told Congress that while Microsoft has refocused its energies on security through its Trustworthy Computing initiative, it also considers its security response capability to be a central weapon in its security arsenal.

"If the software vendor is very responsive in providing security, then a single patch may take care of the problem," Charney told the committee. "There are both pluses and minuses, and it's really a question of risk management."

Dan Verton writes for Computerworld

Read more on Microsoft Windows software