Microsoft developers feel Windows pain

Under a new push to secure software code and convince customers that security is a top priority, Microsoft is putting its Windows developers, testers and program managers through a crash course in secure programming.

Over the next month, the software giant's security-assurance group expects the training to pay off as more than 70 developer teams audit the various software components that make up Windows XP and the upcoming Windows .Net server operating systems.

"This is an extremely serious and encompassing effort for us," said Steve Lipner, director of security assurance for Microsoft and a lead manager in the effort. "We are going to get a lot of testing done. We are going to have a lot of people who are really, really hard-core about security distributed throughout the organization, and that's going to change how products get built in the future."

What isn't clear is how the massive effort will affect Microsoft's bottom line, because product groups will be busy learning about security--but not building products. Microsoft executives said the time needed to examine security issues has been built into product delivery schedules.

The effort comes in the midst of Microsoft's push to develop a secure and simple infrastructure to deliver e-business services, known as .Net. The software titan's ability to keep such a critical infrastructure out of harm's way has been questioned every time a security slip or new glitch is discovered.

Those slips have been frequent. In December, a flaw in the universal plug-and-play component of Windows XP placed consumers--especially those on high-speed cable networks--in danger of being hacked. Then, in January, five days of problems with the company's Windows Update service had critics wondering whether the company could deliver on a project as complex as .Net.

That prompted company Chairman Bill Gates to endorse a new security initiative in a companywide memo in mid-January. In the e-mail, Gates called for employees to put security first, urging them to help the company make its .Net infrastructure for future Web services a platform for trustworthy computing.

"When we face a choice between adding features and resolving security issues, we need to choose security," he wrote. "Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

The pledge has kept Microsoft's security-assurance group busy. For the last two weeks, anyone who has contributed code to the Windows XP and Windows .Net server CDs has been stuffed "cheek by jowl" in classrooms for training, Lipner said.

Back to basics
Yet, training is only the first step, stressed Michael Howard, program manager for Microsoft's Secure Windows Initiative.

"The training is only one facet of what is happening," he said.

To keep the momentum rolling, after each team finished training, it had to draw up a plan of action for completing a review of any piece of software for which the group was responsible. In total, Howard and his group have received more than 70 plans detailing what teams are going to do throughout February to secure their piece of the Windows operating system.

"Every group that contributes to the CD has drawn up a plan to mitigate security risks," Howard said. Key to the plans is a measure of success--how the groups will know when they are done, he added.

The plans put program managers--the designers and big thinkers for Microsoft's software--in the spotlight as well, Howard said. As part of the security initiative, every manager has to justify not only the group's programming decisions, but how the software is configured as a component of Windows.

Program managers are being asked, "Are 90 percent of your users using this feature? If not, then you better have a good reason for enabling that feature by default," Howard said.

The goal is to make an everyday user's computer secure by default, he said. "Not everyone needs IIS (Microsoft's Web server) by default," he said. "Not everyone uses Index Server by default. So today, those features are turned off by default."

In addition, program managers must create a definite plan to phase out older components of Windows that are merely provided for backwards compatibility. Such components are frequently the source of security problems, Howard said.

Code modified by the new security initiative will be incorporated into Windows .Net Server when it ships, and into Windows XP via Service Pack 1, Howard said.

Security scrutiny
Other products have already undergone scrutiny from a security standpoint.

Office XP, for example, underwent several months of security skepticism before Microsoft released it last June, Lipner said.

And Visual Studio.Net, Microsoft's platform for developing applications for its next-generation Internet services, was subject to a detailed security analysis in December.

"We beat the hell out of the product for a long time to make sure there weren't any holes that could help people get into the system," said Tom Button, corporate vice president of developer tools management.

Adding security to Visual Studio.Net is central to Microsoft's Trustworthy Computing initiative as developers, some with little or no experience building secure software, will be using the tool to create programs for e-business, Button said.

Microsoft hopes the consistent mantra of "security, security, security" will push developers--both inside and outside the company--to build security into their products, eliminating the need to repeat the monthlong review.

"If we did February and February alone, the initiative would fizzle out," Howard said.

Yet, while lauding Microsoft's endorsement of security, critics and rivals question whether the giant can deliver.

"It's going to be difficult," said Mary Ann Davidson, chief security officer for database maker Oracle. "It is a good thing they are doing this, and it will be good for the industry. But directing corporate culture of any nature is like turning a battleship."

Gates himself, in a May 1995 memo urging employees to concentrate on developing for the Internet, likened such efforts to turning a ship the size of the Titanic.

Developer tools chief Button agreed the job is a difficult one. "Working at Microsoft is a bit like herding cats," he said. "The whole wake-up call for the Internet was a real turning point of the company, and the whole security issue feels a lot like that."

Indeed, the effort has the backing of the top management as well.

Microsoft CEO Steve Ballmer pledged that, if given a choice between shipping software with holes and delaying the product, he would put development on hold.

Not surprisingly, Lipner echoed that sentiment.

"We ship when the product is ready," he said. "And in this case, being ready means being secure."