Stuart Okin, the chief security officer for Microsoft UK, said that the patch management issue is the top priority, and would see the company aiming to reduce the number of installers in its product range. Our product teams are very independent which has a number of pros and cons. One of the problems is around security, because each product group has its own engineering division which deals with patches in its own way, he said.

While operating system patches are delivered to users via Microsoft’s Software Update Services, Office users have to visit Microsoft’s Office web site and scan for patch requirements, while SQL Server users are notified of patches via alerts and then have to visit Microsoft’s TechNet site.

What we need is a single process, and that’s something that we need to address over the next year to two years, Okin continued. Microsoft currently has about seven installers across its product range, said Okin, and it would take time for the company to bring about the product changes required to reduce that number to one.

I don’t think we’ll get to a single installer [in two years], but we can get to Windows Update and MSI, he added. Eventually, given enough time, we should be able to get down to a single installer, and hopefully ISVs will be able to use that installer as well.

Meanwhile, the company is also looking to institutionalize its internal security training following its 10 week development stand down during early 2002 as developers and testers downed development tools to check Microsoft’s code base for bugs and potential security holes and went through internal security training programs. The plan is to institutionalize and productize the security stand down, said Okin. Each team did it slightly differently. Now we want to make it a standard program and versionalize it.

The company is also in the process of implementing new scorecards through which its product teams can be graded on how their output matches up in terms of security, privacy, reliability and business integrity. A scorecard for privacy has been introduced that measures product managers on how well their products meet five NCASE criteria – notification, choice, access, secure, and enforce – and gives them objectives for the next release, said Okin.

Meanwhile, other scorecards are in development for security, reliability and business integrity, for which Okin said it is more complicated to identify the criteria by which product teams should be measured.

By far the trickiest of these, according to Okin, will be business integrity, by which Microsoft hopes to persuade customers that it is a company to be trusted. Business integrity is the trickiest one, I think, he said. How do I give you the feeling that you should trust Microsoft? The first way is by being transparent, and the second is by doing what we say we are going to do.

Okin admitted that this transparency will not always work in the company’s favor, and said that its announcement of early plans for the controversial Palladium security-on-a-chip system – now renamed next generation secure computing base – was evidence of that. We went really early with this and there was a lot of confusion about what we were doing, he said, but we were trying to be transparent.

Microsoft’s third priority for the next stage of Trustworthy Computing is to continue the delivery of new deployment guides and utilities, Okin said, that give customers the guidelines and tools to develop and deploy Microsoft technologies in a secure and reliable infrastructure.

While these three priorities set out Microsoft’s Trustworthy Computing plans for the next 12 to 24 months, Okin was quick to maintain that there was no quick fix to the problem. Windows 2003 Server will be the most secure operating system ever, but it will have some problems we didn’t notice, he said. Does that mean we’ve failed Trustworthy Computing? It doesn’t. It’s a journey. Trustworthy Computing is a vision of the future, where computing is as trusted to use as a utility or a telephone, he continued. We think it will take us five, 10 or even 15 years to get to that end point.

Source: Computerwire