We spoke with Steve Adler, a senior consultant with Microsoft, and the man responsible for the company's "Trustworthy Computing" initiative in EMEA, at Tech Ed, Microsoft's developer event in Barcelona during early July. Adler says that Microsoft's much publicised security initiative puts it ahead of the open source community. "We need to lead the industry," said Adler. "We must lead a security initiative across the whole industry, to adopt a more secure mindset. If we want our customers to exploit the Internet to the full, we have to lead them." He pointed out that trustworthiness is a wider issue than just security, "Trustworthiness means security, and also availability considerations. Things should work as advertised. We want to create an environment where people have the assurance that they can do things across the Internet that don't compromise their security." To Adler, the battle is won already. "Microsoft customers are deploying .Net. The general public's perception of us has all the hallmarks of trust. We have a huge amount of trust." He concedes that "we could have better product support and guidance." But thinks that people who don't accept Microsoft's role as a security leader are misguided or worse: "People who read Slashdot take things out of context. What do you do to change their opinions? You tell them the Earth is round, and they say it is flat." Securing the technology
The technology itself is a major part of the initiative. One element is the Secure Windows Initiative, part of last year's Microsoft security push, the so-called "War on hostile code" launched in April 2001. "We are making sure the quality is as good as we can get it," said Adler. Under this year's regime, every product has a mandatory code review for security, which in the case of .Net server cost a well-publicised $100 million in delayed delivery "We've done a lot of work on the process, using peer review, design reviews and third party reviews," said Adler. Visual Studio .Net, for example was reviewed by California-based security specialist Foundstone, resulting in a new default security policy and was included in the Service Pack for Visual Studio .Net, released in May. Educating the users
But another major factor is simply locking down the products that exist, and educating users to think about security. "We are trying to give a more secure out-of-the-box experience," said Adler. "For example, on Windows servers, IIS is not installed by default." Putting the web server on by default made it easier for users to set up servers quickly, but meant that a lot of vulnerabilities (associated with active server pages, for example) are open on sites where people do not realise IIS is running. "You have to explicitly turn these features on now," said Adler. "We may cop some flak from companies if we make things harder to discover, but the benefit is people don't have compromised systems." The Windows Update tool, introduced in XP, was intended to ensure that user systems are given security updates automatically, but it didn't play well with enterprises, who did not want to hand over control of security updates to an outside operator. Microsoft has since set up a system for enterprise IT managers to receive and distribute software updates on their networks, having tested the patches work with their corporate systems: "The Software Update Service helps corporations to automate the patching process, and protect their systems." The nub of it, it seems, is making security usable -- presenting the issues so that the broad mass of users can understand and work with them, and operate securely. Other elements include courseware and certification -- "There will be a security related certification programme," said Adler.