The partial opening of Windows source code for government clients is nothing essentially new, says Microsoft technical marketing group manager Terry Allen.
“We’ve had a government programme for more than five years,” he says. What’s new is that government representatives can access source code online, he says. Previously, they had to go to Redmond, where Microsoft would allocate them a private space to inspect the code.
The open source programme has been extended to large private-sector companies in some countries, but only in the off-site mode, Allen says. No New Zealand companies have so far taken up the opportunity.
“Generally, New Zealand companies are very comfortable with the security of our code,” he says.
Microsoft doesn’t allow government users to change the code, but it is theoretically possible that they could use the knowledge to access operating system facilities in irregular ways which they might see as more efficient, Allen says.
“We find governments are not interested in doing that,” he says. “Their aim is to ensure the integrity of the code, so they’ll be more comfortable with the security of the operating system.
“We’ve also been more specific [in the latest version of the scheme] about opening the source code for third-party APIs,” says Allen. Some governments, such as Israel and China, have stripped out Microsoft’s encryption APIs and replaced them with interfaces to their own coding routines, he says.
Allen plays down the significance of the repeated holes uncovered in the security of various versions of Windows and attendant systems software such as the IIS server, and doesn’t accept that Windows is particularly vulnerable.
“All operating systems vendors continue to work towards making their systems as secure as possible,” he says.
“In the last six months, there have been roughly the same number of compromises in Linux and Unix as there have been in Windows,” which is a good record given that Windows is deployed much more broadly, he says.
“I’m the first to admit that there is work still to be done,” Allen says, but if fixes published by Microsoft are applied and a competent firewall and antivirus application installed, then there is a “reasonable” chance of avoiding damaging consequences of any vulnerabilities.
Microsoft is also working on greater automation of operating system updates. In future, delivery of fixes online “will happen transparently in the background”.
There are four prongs in Microsoft’s effort to make the operating systems more secure:
- The “secure by design” initiative aims at improving the design of Windows itself to decrease vulnerability; Allen acknowledges that there is “some validity” in the view that Linux and Unix were better designed from the ground up in this respect.
- “Secure by default” means Windows will in future come out of the box in a “locked down” form with potentially vulnerable points closed, to be opened actively by the user if those facilities are required. The reverse used to be the case, with the user having to close potential loopholes that were left open in the out-of-the-box system.
- Design default deployment — aimed at making deployment of fixes easier.
- Communications improvement, ensuring that crucial messages about vulnerability and patches for discovered failings are brought to the attention of the user, perhaps by being sent in email.
The cost advantage of Linux is somewhat misleading, he contends, since the up-front cost of the software is only about 5% of the cost of deployment in a typical business.
Microsoft may allow users to more often choose small-increment upgrades in future, one of the attractions of Linux.