Microsoft wages war on flaws

IT Week:

Microsoft announced its Trustworthy Computing initiative at the start of 2002. What progress has it made?

Stuart Okin: The security initiative is in progress at four separate levels – by design, by default, through communications, and through deployment. We had 11,000 developers undergoing training earlier this year, in order to raise their awareness of security issues. The Windows, Exchange, SQL [Server] and other teams have all gone through this process. Generally, if you do a degree in computer science, you are not taught how to write secure code. So testers simply look at whether a product does what it is supposed to do. The training is aimed at helping developers to think carefully about security as well. Once the training was completed, the developers began to review code to assess whether certain features needed to be in by default. Some features would then be switched off as appropriate.

How do Microsoft’s deployment and communications processes help?

We have now produced a huge amount of guidance on how to go about locking down computing environments. Customers cannot wait for the next product releases for security. A key point is how we communicate with customers. We have improved our security Web site, and declared our policies relating to issues such as responsible disclosure. We also set up the Organisation for Internet Safety with companies such as Oracle and security firm @Stake. Just on the Windows team, we have spent £100m on security since January.

Microsoft has recently launched a TechNet online chat facility and a security news mailing list for less technical users. How will these services help customers?

We have got to make it as simple as possible to communicate. We have a wide audience of IT professionals who understand TechNet with-out any difficulties. However, there are also consumers who do not have so much technical understanding but still need the information. So the extra news list is designed for these consumers.

Microsoft has released over 60 security bulletins this year, according to figures on its Web site. Does this represent an improvement on previous years?

Although there is no individual verification of actual numbers, it seems as though there have been a lot more patches and flaws this year compared with last across the whole industry. But this increase is not due to the quality of code being worse, but because the level of awareness is higher inside organisations and outside, where researchers are looking more for vulnerabilities. Also, a vulnerability such as a buffer overrun is much more exploitable now than it was five or six years ago. For our enterprise customers, receiving bulletins all the time is a difficult task, and one they see as a bad thing. But if they were breached, they would see that as a bad thing as well.

Do you think there will be fewer bulletins and patches released during 2003?

The next series of product releases from Microsoft will have gone through the new security architecture, so they should be less vulnerable. However, there will always be vulnerabilities within complex programs. The number of flaws will decline over time, but there will always be problems and new ways for people to attack systems.

What will be Microsoft’s main focus for security over the next year?

We aim to continue [as] we have begun. Extra tools for managing environments, such as the SMS [Systems Management Server] Value Pack, will be released, as will a whole set of new solution guides. We will also use many of the processes in the international security standard ISO17799 as a framework for advising our customers and establishing our policies. Microsoft will not adopt ISO17799 internally, although our processes do mirror some of those [set out] in the standard.


Stuart Okin is chief security officer at Microsoft UK, with responsibility for all security programmes and initiatives in the region.

He joined the firm in 1997 as a senior consultant, working with the early adopters and beta sites of the Windows 2000 operating system.

Before joining Microsoft, Okin spent seven years at EDS as a systems engineer, working on a number of accounts, including London Underground and defence projects.

Related reading

HMRC banknotes