Yet, training is only the first step, stressed Michael Howard, program manager for Microsoft's Secure Windows Initiative. "The training is only one facet of what is happening," he said. To keep the momentum rolling, after each team finished training, it had to draw up a plan of action for completing a review of any piece of software for which the group was responsible. In total, Howard and his group have received more than 70 plans detailing what teams are going to do throughout February to secure their piece of the Windows operating system. "Every group that contributes to the CD has drawn up a plan to mitigate security risks," Howard said. Key to the plans is a measure of success -- how the groups will know when they are done, he added. The plans put program managers -- the designers and big thinkers for Microsoft's software -- in the spotlight as well, Howard said. As part of the security initiative, every manager has to justify not only the group's programming decisions, but how the software is configured as a component of Windows. Program managers are being asked, "Are 90 percent of your users using this feature? If not, then you better have a good reason for enabling that feature by default," Howard said. The goal is to make an everyday user's computer secure by default, he said. "Not everyone needs IIS (Microsoft's Web server) by default," he said. "Not everyone uses Index Server by default. So today, those features are turned off by default." In addition, program managers must create a definite plan to phase out older components of Windows that are merely provided for backwards compatibility. Such components are frequently the source of security problems, Howard said. Code modified by the new security initiative will be incorporated into Windows .Net Server when it ships, and into Windows XP via Service Pack 1, Howard said. Security scrutiny
Other products have already undergone scrutiny from a security standpoint. Office XP, for example, underwent several months of security skepticism before Microsoft released it last June, Lipner said. And Visual Studio.Net, Microsoft's platform for developing applications for its next-generation Internet services, was subject to a detailed security analysis in December. "We beat the hell out of the product for a long time to make sure there weren't any holes that could help people get into the system," said Tom Button, corporate vice president of developer tools management. Adding security to Visual Studio.Net is central to Microsoft's Trustworthy Computing initiative as developers, some with little or no experience building secure software, will be using the tool to create programs for e-business, Button said. Microsoft hopes the consistent mantra of "security, security, security" will push developers -- both inside and outside the company -- to build security into their products, eliminating the need to repeat the monthlong review. "If we did February and February alone, the initiative would fizzle out," Howard said. Yet, while lauding Microsoft's endorsement of security, critics and rivals question whether the giant can deliver. "It's going to be difficult," said Mary Ann Davidson, chief security officer for database maker Oracle. "It is a good thing they are doing this, and it will be good for the industry. But directing corporate culture of any nature is like turning a battleship." Gates himself, in a May 1995 memo urging employees to concentrate on developing for the Internet, likened such efforts to turning a ship the size of the Titanic. Developer tools chief Button agreed the job is a difficult one. "Working at Microsoft is a bit like herding cats," he said. "The whole wake-up call for the Internet was a real turning point of the company, and the whole security issue feels a lot like that." Indeed, the effort has the backing of the top management as well. Microsoft chief executive Steve Balmer pledged that, if given a choice between shipping software with holes and delaying the product, he would put development on hold. Not surprisingly, Lipner echoed that sentiment. "We ship when the product is ready," he said. "And in this case, being ready means being secure."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
See the Software News Section for the latest headlines on everything from peer to peer clients to Office software and beyond.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
