But that's precisely what happened when Microsoft announced on October 29 that its Windows 2000 Pro software line had received the so-called Common Criteria certification, an internationally recognised standard for secure design and implementation of info-tech products. Fourteen Western countries are now signatories of the Common Criteria, which is widely considered the gold standard of security certifications, the big kahuna that carries the most weight. Does this mean Microsoft is really serious about security? At the risk of getting flamed by all the Redmond-haters out there, I would have to say yes. The fact that the software giant is even willing to undergo these types of invasive and costly audits illustrates that the old days of freehand coding and willy-nilly programming with little real structure or methodology are gone for good. And unlike most software companies, Microsoft actually has a line item for security engineers and security-testing costs in its budgets. "We have spent a lot of people's time and effort and money, and actually made changes to the product to ensure that customers would have a secure platform and that there would be independent third-party validation," says Steve Lipner, Microsoft's director of security assurance. Work to do
That said, achieving Common Criteria is really just a starting point to building secure software. Witness Microsoft's revelation on October 30 of three more security flaws (one ranked critical) in its Windows operating system -- including a security system that passed Common Criteria -- just a day after its triumphal certification announcement. CIOs and tech managers should understand that even Common Criteria certification doesn't require a line-by-line code review and, as Microsoft freely admits, provides no assurances that software will be free of security flaws. Persistent findings of new holes in Microsoft products mean it still has lots of work to do in making sure its code is rock-solid. The Common Criteria standards arose from international efforts in the 1980s to define security guidelines for IT products and create internationally accepted ways to test and certify security. Seven Common Criteria evaluation levels are now recognised. The various involved parties, such as the U.S. National Institute of Standards & Testing (NIST), have agreed on commercial testing criteria for only the first four levels (no widely available commercial product has obtained a fifth-level certification). The criteria range from basic functional testing of security at the first level to more extensive code and methodology review at the fourth level. The most rigorous evaluation level that can be tested now by commercial labs, Evaluation Assurance Level 4 (EAL4), is required by the U.S. government for any IT equipment and software that handles sensitive but nonclassified information. Microsoft passed muster for this highest level with independent third-party testing lab Science Applications International Corp. (SAIC).