|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
NOVEMBER 5, 2002 SECURITY NET By Alex Salkever Microsoft Earns a Security Merit Badge No way, you say? Well, it's true: Though its code is far from rock-solid, the Colossus of Redmond is making recognized strides
Does this mean Microsoft is really serious about security? At the risk of getting flamed by all the Redmond-haters out there, I would have to say yes. The fact that the software giant is even willing to undergo these types of invasive and costly audits illustrates that the old days of freehand coding and willy-nilly programming with little real structure or methodology are gone for good. And unlike most software companies, Microsoft actually has a line item for security engineers and security-testing costs in its budgets. "We have spent a lot of people's time and effort and money, and actually made changes to the product to ensure that customers would have a secure platform and that there would be independent third-party validation," says Steve Lipner, Microsoft's director of security assurance. WORK TO DO. That said, achieving Common Criteria is really just a starting point to building secure software. Witness Microsoft's revelation on Oct. 30 of three more security flaws (one ranked critical) in its Windows operating system -- including a security system that passed Common Criteria -- just a day after its triumphal certification announcement. CIOs and tech managers should understand that even Common Criteria certification doesn't require a line-by-line code review and, as Microsoft freely admits, provides no assurances that software will be free of security flaws. Persistent findings of new holes in Microsoft products mean it still has lots of work to do in making sure its code is rock-solid. The Common Criteria standards arose from international efforts in the 1980s to define security guidelines for IT products and create internationally accepted ways to test and certify security. Seven Common Criteria evaluation levels are now recognized. The various involved parties, such as the U.S. National Institute of Standards & Testing (NIST), have agreed on commercial testing criteria for only the first four levels (no widely available commercial product has obtained a fifth-level certification). The criteria range from basic functional testing of security at the first level to more extensive code and methodology review at the fourth level. The most rigorous evaluation level that can be tested now by commercial labs, Evaluation Assurance Level 4 (EAL4), is required by the U.S. government for any IT equipment and software that handles sensitive but nonclassified information. Microsoft passed muster for this highest level with independent third-party testing lab Science Applications International Corp. (SAIC). THREE-YEAR EFFORT. Microsoft received Common Criteria EAL4 certification for Windows 2000 but only for versions that have been augmented by software Service Pack 3 (the third big update to Windows 2000) and not previous versions. To receive the certification, SAIC tested Windows 2000 cryptography modules, directory systems, file systems, access-control systems and just about every other software component pertaining to security. One important point: Lipner says the software configurations Microsoft submitted for Common Criteria aren't tweaked to maximize security at the expense of usability, a common tactic for companies trying to pass Common Criteria with so-called "government versions" of their software. "What we offered was absolutely a standard, commercial version" with some minor lock-down modifications, says Lipner. Getting Common Criteria took three years of work by hundreds of engineers and cost millions of dollars for Microsoft, which had to make extensive code revisions along the way. "We are determined to not merely say we are building secure products but to also let people look at our code and our practices and provide external assurance," says Lipner. "REAL EVIDENCE." Even some of Gates & Co.'s harshest critics would agree. In September, 2001, tech consultancy Gartner Group told its clients to stop running Microsoft's IIS (Internet Information Systems) Web server due to security problems. Flash forward a year, and Gartner analyst John Pescatore says Microsoft has fixed most of the bugs in IIS. "I believe Microsoft actually has gotten serious about security. I've seen real evidence of real changes in how Microsoft product managers emphasize security over product features. That's the key issue," says Pescatore. He has also been impressed by what he has seen in security considerations for versions of Microsoft's .Net Server 2003, a piece of software designed to deliver services that help link Web sites and sync data between disparate systems. "For the past year and a half, I believe Microsoft deserves an A for effort, given the complexity of their software and their efforts at addressing problems. Unfortunately, they are very poor in public outreach activities," says Pete Lindstrom, research director for Spire Security, a consultancy in Malvern, Pa. Effort and progress aside, no one -- even Lipner -- claims Microsoft is even close to bug-free code. "I am not one of the many Microsoft bashers out there," says Lindstrom, "but it seems pretty clear that many people would not put Windows 2000 on their 'most secure operating system' list." And according to a report released on Oct. 31 by British computer-security consultant mi2g, 44% of the known software vulnerabilities announced in 2002 affected Microsoft Windows, compared to 19% affecting Linux. JUST ONE YARDSTICK. That's proportionally less than Microsoft's share of the computing infrastructure but still high enough to warrant concern. The sizeable bug count also illustrates the limits of using Common Criteria as the sole yardstick of security. "The Common Criteria is a framework for security evaluations. It is not a level of security. It's like saying 'my child graduated' without knowing if it was from kindergarten or university. An average CIO does not know that," says Bruce Schneier, chief technology officer of Internet security-monitoring firm Counterpane Internet Security. The upshot? Hats off to Redmond for taking steps to make security a real part of its software construction process. Now, fewer bugs, please.  Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | NOVEMBER |
 Copyright 2002, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version
