Security Progress at Microsoft
If you have not already done so, I would urge you to take a look at Bill Gates' “Microsoft Progress Report: Security” at https://www.microsoft.com/mscorp/execmail. One thing that will hit you is the shear breadth of effort being undertaken at Microsoft in the security arena. And by security, I don't just mean crypto, I mean quality and attack resilience too.
As some of you know, I spend all my time working on security engineering; helping engineers (developers, designers, program managers, testers, documentation people, architects and the odd VP) “do the right thing” from a security perspective. It takes time to see the results of your labors when you start a mammoth undertaking like Trustworthy Computing, but I really feel like we are starting to see real progress. And I mean REAL PROGRESS. Now don't get me wrong, there is still a huge amount of work to be done, but some of the early indicators in Bill's email are, for me anyway, very encouraging:
The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers. The number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release. With Exchange 2000 SP3, there was just 1 bulletin in the 21 months after its release, compared to 7 bulletins in the 21 months prior.
To me, the most telling figures are the Windows figures:
- 320 days after the release of Windows 2000, we had issued 40 important or critical security bulletins.
- 320 days after the release of Windows Server 2003, we have issued 9 important or critical security bulletins.
Once again, don't get me wrong, that's still 9 security bulletins, but 9 is MUCH better than 40! And we're seeing this trend across other products too.
There's one figure not in Bill's email, and that is the number of security bulletins issued against IIS6. So here's a pop-quiz, we're nearly at the one-year anniversary of the release of Windows Server 2003 and IIS6, how many security bulletins have been issued for IIS6? Zero. I'm not saying there are no security defects in IIS6, I have no doubt there are. But I like zero! I like zero a lot!
It's warming to see all the work we've done in the last two years starting to pay off. All the training, documentation, root cause analysis, process improvement, threat modeling, security pushes, security reviews, code changes, attack surface reduction work, penetration testing, automated source analysis, compiler improvements, heap improvements and much more has been worth every penny.
Now onto the next two years!
Comments
Anonymous
March 31, 2004
Umm.. We're nearly a year away from the one-year anniversary of Windows Server 2K3?
Feel free to delete this if you want.Anonymous
March 31, 2004
Yeah - 24 April 2003 was the release. Doesn't time fly, Larry :)Anonymous
March 31, 2004
Oh dear - I see what I did!Anonymous
March 31, 2004
yes ! IIS 6.0 ROCKS !!!Anonymous
March 31, 2004
IIS bugs
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspxAnonymous
March 31, 2004
Relevant to Stefan's link: the only issue reported against IIS 6.0 is http://www.securityfocus.com/bid/8244. The authors seem to have something against MS - see their message at http://www.securityfocus.com/archive/1/330027, where they mention that they haven't contacted MS.
Also, there are side issues which while not in IIS codebase still affect it, for example the ASN.1 vulnerability, which could affect IIS if it tries to authenticate a malformed client certificate (perhaps).
Anyhow, a good effort so far, and I think it's having knock-on effects in general code quality too.Anonymous
April 01, 2004
<quote>
As we've said before, Microsoft is strongly committed to using state-of-the-art engineering practices, standards and processes in the creation of our software. We have undertaken a rigorous "engineering excellence" initiative so that our engineers understand and use best practices in software design, development, testing and release.
</quote>
Rigorous "engineering excellence" as in (don't) "catch exceptions by reference"? See:
msdn: .NET Enterprise Services Performance
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncomser/html/entsvcperf.aspAnonymous
April 01, 2004
It's telling that Bill catalogues Security Bulletins rather than Vulnerabilities. Over time the number of vulnerabilities announced per bulletin has increased noticeably, so it doesn't surprise me the number of bulletins has decreased.
Michael - do you have figures for the number of vulnerabilities? Could you post them on your blog?Anonymous
April 01, 2004
I only have the vuln numbers for 2003, but you can easily check 'em yourself by looking at the CVE (Common Vuln & Exposures) numbers for each bulletin. Of the 51 bulletins in 2003, 39 fixed only one CVE, 6 fixed two, three fixed 3, two fixed four, and one bulletin fixed five CVEs.Anonymous
April 01, 2004
I posted this at Stefan's blog
------
Microsoft Multiple IIS 6.0 Web Admin Vulnerabilities
http://www.securityfocus.com/bid/8244
I won't consider this as a core bugs or exploits. as this is related to the web admin interfaces that 'didn't' does it client site checking probably.
beside, if you really need the web admin interface. you MUST limit the access to this interface. e.g. firewall, ip restriction and etc.Anonymous
April 01, 2004
The comment has been removedAnonymous
April 02, 2004
The comment has been removedAnonymous
April 02, 2004
>that this year you will have at most 12 bulletins
Not so, each month we will probably issue more than one bulletin. Mar04 we issued three (one each for MSN Messenger, Outlook and Media Server), Feb04 we issued 4 and Jan04 we issued 3.Anonymous
April 03, 2004
The comment has been removedAnonymous
April 08, 2004
Hi,
I have created a website concerning the possibility of terrorist attack through INTERNAL access to software source code. Most software companies DO NOT perform path coverage analysis (an industry standard method for discovering untested software paths), and I know of no company performing concordance analysis (examination of the words used in a software program).
http://www.d50.org
Comments would be greatly appreciated.
Regards,
MarkAnonymous
April 17, 2004
Hi Michael,
Will we ever see a trusted Windows like a trusted Solaris or a trusted Linux SE.Anonymous
May 02, 2004
Agree. Windows is on the right track to be more and more secure.Anonymous
May 08, 2004
Security Progress at Microsoft (Michael Howard's blog)Anonymous
May 08, 2004
Security Progress at Microsoft (Michael Howard's blog)Anonymous
May 09, 2004
Hi. I have an idea. How about formalizing these values with other factors like the numbers of packages/licenses shipped and consumed, or numbers downloaded from betaplace and MSDN (just a few examples, so there may be other more important factors to show.)?
That way you can evaluate what it really means more precisely, more accurately, and more objectively. I believe through such an evaluation with other important factors still shows that Windows Server 2003 is far and far better than the previous platforms.Anonymous
July 11, 2004
Hi! I would like to say that Microsoft is doing great thing! Our privacy depends on you guys! Keep doing like this!Anonymous
June 01, 2009
PingBack from http://paidsurveyshub.info/story.php?id=69396Anonymous
June 13, 2009
PingBack from http://gardenstatuesgalore.info/story.php?id=892