Security

I saw a news story today about Microsoft software security.

There, my first sentence is valid regardless of what date I post this. These days, when can I go a day without seeing a news story about Microsoft software security? For me as a Microsoft employee, especially one who cares so much about quality it's a little disheartening.

Over eight years ago I was a tester for NetMeeting, the conferencing software that allowed PC users to connect over a network to do voice/text chat, share a paint canvas, send and receive video, and even share out applications. The main way to connect to others was by registering your client on a server, then one could browse the list of people and find someone they wanted to talk to. You specified some information about yourself in an Options dialog and that info would show up on the directory server web site.

The web was really picking up back then and the commonality of exploits wasn't nearly what it is today. I remember realizing one day that someone could put HTML code into their user profile. At first, I thought simply of people putting <img> tags in to make pictures show up. The pictures could be really big causing the page to load slowly. They could be of adult material. Clearly Microsoft would not want that sort of thing on the directory server. As I spent more time thinking about how, as a malicous individual, I could do even more very bad things it really scared me. I saw a vulnerability and the sky was the limit.

I informed the management team of my idea. You feel really weird when you mention stuff like this, by the way, because people wonder why you think of such bad things. I'm not a miscreant, I swear! Did they respond as I hoped? Listen to my concern, discuss the implications, have someone work on a technical solution, cost the work out, and stop the problem before we shipped? No, of course not. Back then security was not a big concern for most teams. It was shrugged off as someone (me) with too much of an imagination. Who would really think to put HTML in there anyway?!

Well, beta went out and guess what showed up not one day after? Yup, you guessed it. Customers are smart! Some are even devious.

I admit, it felt good for management to come back to me for a solution. I knew this would be a problem and already put time thinking about how you'd prevent it. It's not the first time at Microsoft (or anywhere else I suspect) that someone saw a threat but was ignored. These days, threats are taken much more seriously.

There is a whole security team of experts that manage our security processes and expectations. I've been to a security talk at least once every six months in the last two years hosted by them. They really know their stuff, let me tell you, and they are learning more everyday. What they've learned over the last six years or so is changing the way we do software development. Higher standards are being implemented. Lines in the sand are being drawn. I expect HUGE changes in the next two years in how we develop software!

However, nothing will change unless our development and management teams take security very seriously. We have to change the way we prioritize features, schedule development work, and reward behavior. I hope and pray that some sort of accountability comes into practice, because irresponsible development and management practices got us here in the first place.

Back to my disheartened feeling, I'm personally sick of vulnerabilities. The truth is no matter what we do they will still be found. We can drastically reduce the number of them and I'm all for that. Certainly the fewer viruses that affect customers and the fewer number of patches they need to install will be greatly appreciated by all. Make no mistake, there will always be malicous people who look for flaws. As we continue to fix the issues that have been found and find ways of keeping new code relatively exploit-free, our products will be more secure. The hackers will have to get creative and find new types of exploits no one thought of before.

Comments

  • Anonymous
    February 17, 2004
    Put it this way, would you rather find them outside those walls or inside those walls. Nuff said.

    Btw tell them if I find a critical bug they will get notified of it along with everybody else, the same day on every public forum available with full source.

    Tell them that too.

  • Anonymous
    February 17, 2004
    You do run static analyzers on your code I hope, you do have SDE/Ts go over the code, you do use randomization for data generation (automated ad-hoc), you do only make visible the minimum, right?
  • Anonymous
    February 17, 2004
    The comment has been removed