We know we’ve got a problem and we’re doing something about it.
That’s how expatriate New Zealander Michael Howard describes the ethos of the “secure Windows initiative” he’s in charge of at Microsoft, and the software giant’s broader trustworthy computing programme.
“If you join Microsoft, within three months you go to security boot camp,” says Howard. “We don’t assume you know security.”
Building security from the core of code outwards, rather than relying on patches and infrastructure protection measures such as firewalls, is a fundamental of “trustworthy computing”, he says.
“It’s not about firewalls, antivirus software and patches, it’s about allowing applications to defend themselves.”
Education is a major part of Howard’s role in the initiative, which involves working with people in areas other than security to get them thinking in a security-conscious way, he says.
Despite heading a programme called the “secure Windows initiative”, Howard says much of his time over the past few years has been devoted to products other than Windows. “The name’s a misnomer. We spend a lot of time across all Microsoft products.
In 2001, for example, I probably spent 70% of my time outside Windows, mainly on the .Net framework, to ensure Visual Studio .Net, ASP .Net etc shipped as good secure, robust products.”
He says the relative lack of security problems with .Net products so far is testament to the work his team has put in.
It’s the case, however, that web services based on .Net are not widely deployed in the way that Windows and other common Microsoft software is, so what of all the worms and viruses that have affected Microsoft applications in recent years?
Howard returns to “We know we’ve got a problem and we’re doing something about it”, and says security holes exploited by the likes of Nimda and Code Red are a problem across the industry, not just at Microsoft.
“Long term,” says Howard, “we want to reduce our reliance on patches, by changing the end-to-end development process.”
Howard told Microsoft’s Developers Network website earlier this month that legacy code is the biggest challenge in trying to code secure applications. “We think we have the new code pretty much solved.”
Microsoft now puts all products through a security push and audit, the former involving a general thrust inside the company and the latter a more detached review, sometimes involving third parties reviewing design and code.
The release of Windows .Net was delayed early last year due to a security audit. Howard says other products have been similarly delayed when necessary.
Howard, who is SWI’s senior security programme manager but has no direct reports, has been with Microsoft for just over a decade, six of them at the company’s Redmond, Washington headquarters. He hails from west Auckland and worked at Microsoft New Zealand for several years.
The ultimate success of the SWI group will come when its role is unnecessary, he says.
“Our goal is to see different product groups get enough security exposure to keep going on their own.”