Partager via


Security Progress at Microsoft

If you have not already done so, I would urge you to take a look at Bill Gates' “Microsoft Progress Report: Security” at https://www.microsoft.com/mscorp/execmail. One thing that will hit you is the shear breadth of effort being undertaken at Microsoft in the security arena. And by security, I don't just mean crypto, I mean quality and attack resilience too.

As some of you know, I spend all my time working on security engineering; helping engineers (developers, designers, program managers, testers, documentation people, architects and the odd VP) “do the right thing” from a security perspective. It takes time to see the results of your labors when you start a mammoth undertaking like Trustworthy Computing, but I really feel like we are starting to see real progress. And I mean REAL PROGRESS. Now don't get me wrong, there is still a huge amount of work to be done, but some of the early indicators in Bill's email are, for me anyway, very encouraging:

The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers. The number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release. With Exchange 2000 SP3, there was just 1 bulletin in the 21 months after its release, compared to 7 bulletins in the 21 months prior.

To me, the most telling figures are the Windows figures:

  • 320 days after the release of Windows 2000, we had issued 40 important or critical security bulletins.
  • 320 days after the release of Windows Server 2003, we have issued 9 important or critical security bulletins.

Once again, don't get me wrong, that's still 9 security bulletins, but 9 is MUCH better than 40! And we're seeing this trend across other products too.

There's one figure not in Bill's email, and that is the number of security bulletins issued against IIS6. So here's a pop-quiz, we're nearly at the one-year anniversary of the release of Windows Server 2003 and IIS6, how many security bulletins have been issued for IIS6? Zero. I'm not saying there are no security defects in IIS6, I have no doubt there are. But I like zero! I like zero a lot!

It's warming to see all the work we've done in the last two years starting to pay off. All the training, documentation, root cause analysis, process improvement, threat modeling, security pushes, security reviews, code changes, attack surface reduction work, penetration testing, automated source analysis, compiler improvements, heap improvements and much more has been worth every penny.

Now onto the next two years!

Comments

  • Anonymous
    March 31, 2004
    Umm.. We're nearly a year away from the one-year anniversary of Windows Server 2K3?

    Feel free to delete this if you want.

  • Anonymous
    March 31, 2004
    Yeah - 24 April 2003 was the release. Doesn't time fly, Larry :)

  • Anonymous
    March 31, 2004
    Oh dear - I see what I did!

  • Anonymous
    March 31, 2004
    yes ! IIS 6.0 ROCKS !!!

  • Anonymous
    March 31, 2004
    IIS bugs
    http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx

  • Anonymous
    March 31, 2004
    Relevant to Stefan's link: the only issue reported against IIS 6.0 is http://www.securityfocus.com/bid/8244. The authors seem to have something against MS - see their message at http://www.securityfocus.com/archive/1/330027, where they mention that they haven't contacted MS.

    Also, there are side issues which while not in IIS codebase still affect it, for example the ASN.1 vulnerability, which could affect IIS if it tries to authenticate a malformed client certificate (perhaps).

    Anyhow, a good effort so far, and I think it's having knock-on effects in general code quality too.

  • Anonymous
    April 01, 2004
    <quote>
    As we've said before, Microsoft is strongly committed to using state-of-the-art engineering practices, standards and processes in the creation of our software. We have undertaken a rigorous "engineering excellence" initiative so that our engineers understand and use best practices in software design, development, testing and release.
    </quote>

    Rigorous "engineering excellence" as in (don't) "catch exceptions by reference"? See:

    msdn: .NET Enterprise Services Performance
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncomser/html/entsvcperf.asp

  • Anonymous
    April 01, 2004
    It's telling that Bill catalogues Security Bulletins rather than Vulnerabilities. Over time the number of vulnerabilities announced per bulletin has increased noticeably, so it doesn't surprise me the number of bulletins has decreased.

    Michael - do you have figures for the number of vulnerabilities? Could you post them on your blog?

  • Anonymous
    April 01, 2004
    I only have the vuln numbers for 2003, but you can easily check 'em yourself by looking at the CVE (Common Vuln & Exposures) numbers for each bulletin. Of the 51 bulletins in 2003, 39 fixed only one CVE, 6 fixed two, three fixed 3, two fixed four, and one bulletin fixed five CVEs.

  • Anonymous
    April 01, 2004
    I posted this at Stefan's blog
    ------
    Microsoft Multiple IIS 6.0 Web Admin Vulnerabilities
    http://www.securityfocus.com/bid/8244

    I won't consider this as a core bugs or exploits. as this is related to the web admin interfaces that 'didn't' does it client site checking probably.

    beside, if you really need the web admin interface. you MUST limit the access to this interface. e.g. firewall, ip restriction and etc.

  • Anonymous
    April 01, 2004
    The comment has been removed

  • Anonymous
    April 02, 2004
    The comment has been removed

  • Anonymous
    April 02, 2004
    >that this year you will have at most 12 bulletins

    Not so, each month we will probably issue more than one bulletin. Mar04 we issued three (one each for MSN Messenger, Outlook and Media Server), Feb04 we issued 4 and Jan04 we issued 3.

  • Anonymous
    April 03, 2004
    The comment has been removed

  • Anonymous
    April 08, 2004
    Hi,

    I have created a website concerning the possibility of terrorist attack through INTERNAL access to software source code. Most software companies DO NOT perform path coverage analysis (an industry standard method for discovering untested software paths), and I know of no company performing concordance analysis (examination of the words used in a software program).

    http://www.d50.org

    Comments would be greatly appreciated.

    Regards,

    Mark

  • Anonymous
    April 17, 2004
    Hi Michael,
    Will we ever see a trusted Windows like a trusted Solaris or a trusted Linux SE.

  • Anonymous
    May 02, 2004
    Agree. Windows is on the right track to be more and more secure.

  • Anonymous
    May 08, 2004
    Security Progress at Microsoft (Michael Howard's blog)

  • Anonymous
    May 08, 2004
    Security Progress at Microsoft (Michael Howard's blog)

  • Anonymous
    May 09, 2004
    Hi. I have an idea. How about formalizing these values with other factors like the numbers of packages/licenses shipped and consumed, or numbers downloaded from betaplace and MSDN (just a few examples, so there may be other more important factors to show.)?

    That way you can evaluate what it really means more precisely, more accurately, and more objectively. I believe through such an evaluation with other important factors still shows that Windows Server 2003 is far and far better than the previous platforms.

  • Anonymous
    July 11, 2004
    Hi! I would like to say that Microsoft is doing great thing! Our privacy depends on you guys! Keep doing like this!

  • Anonymous
    June 01, 2009
    PingBack from http://paidsurveyshub.info/story.php?id=69396

  • Anonymous
    June 13, 2009
    PingBack from http://gardenstatuesgalore.info/story.php?id=892