Microsoft has spent more on securing its software than was spent on the Star Wars missile project, the company's head of security has told conference guests. An unfortunate analogy for Iain Mulholland to use since the project was a complete failure and little more than the private obsession of a few top American ego-maniacs. But, despite - and because of - this Herculean effort, viruses and worms are going to get worse. They will become more complex, more vicious and more dangerous because the days of quick and easy exploits have come to an end, thanks to the software giant's efforts. According to one expert anyway.
Former Bell Laboratories researcher, security author and founder of IT security firm Lumeta, Bill Cheswick said that improved security will force malicious code writers to construct more complex programs that will either circumvent or push conventional defenses such as anti-virus software and firewalls to their limits. Recent examples of malicious code, that had not necessarily escaped into the wild, were generally becoming more time consuming and difficult to copy or neutralise, he said. "Virus emulators are slowing down. This game is not going to end nicely. What happens if there is a virus you cannot defeat? The spooks worry about viruses with their own compilers."
View: Complete Article
News source: TechWorld
Former Bell Laboratories researcher, security author and founder of IT security firm Lumeta, Bill Cheswick said that improved security will force malicious code writers to construct more complex programs that will either circumvent or push conventional defenses such as anti-virus software and firewalls to their limits. Recent examples of malicious code, that had not necessarily escaped into the wild, were generally becoming more time consuming and difficult to copy or neutralise, he said. "Virus emulators are slowing down. This game is not going to end nicely. What happens if there is a virus you cannot defeat? The spooks worry about viruses with their own compilers."
View: Complete Article News source: TechWorld
Ballmer also reinforced the ongoing priority of security-related issues and improvements.
"In order to take advantage of new business opportunities and effectively manage upfront and lifetime IT costs, it's important for customers to look at the entire IT life cycle - from application development to operations and management - and to choose a software platform that provides strong tools, ecosystem partnerships, security and support," Ballmer said. "The tools and technologies Microsoft is delivering today help customers work effectively and efficiently in distributed environments and across disciplines to drive growth and respond to change."
Microsoft Tech*Ed is Microsoft's premier technical training event, offering more than 400 sessions delivered by industry experts. More than 11,000 people are attending Tech*Ed 2004 - an increase of more than 22 percent over Tech*Ed 2003.
Visual Studio 2005 Team System Delivers Powerful Life-Cycle Tools
As businesses look to transform their IT organisations from a cost centre to a catalyst for overall growth, IT professionals seek to continually improve the efficiency and predictability of their infrastructure. Managing the life cycle of software development is a critically important component to overall business success and has become increasingly challenging as software teams become more specialised and geographically distributed. This effort is part of Microsoft's Dynamic Systems Initiative (DSI), an industrywide initiative focused on management of the entire application life cycle.
Unveiled today, Visual Studio 2005 Team System delivers productive, integrated and extensible software life-cycle tools that enable businesses to reduce the complexity of delivering service-oriented solutions. The Visual Studio 2005 Team System contains several tightly integrated design, development and testing tools that foster greater collaboration between architects, developers and IT professionals throughout the IT life cycle. Expanding on Microsoft's proven success in delivering highly productive developer tools, the Visual Studio Team System increases the predictability of the software development process, shortens the development life cycle, and enables IT departments to deliver greater business value.
Visual Studio 2005 Team System creates even more opportunities for the Visual Studio
partner ecosystem. Global systems integrators, service providers and tools vendors all play a vital role in complementing and extending the Microsoft Visual Tools family to customers. Today, Borland Software Corp., Compuware Corp., EDS, Telelogic AB and Unisys Corp. announced their support for Visual Studio 2005 Team System.
Partners can take advantage of the integration benefits of the Visual Studio 2005 Team System, giving customers a broad choice of development tool options. "We believe Microsoft's entry into application life-cycle management is evidence that the industry is maturing, and will even further expand for leaders like Borland that have years of experience in the space and a set of mature products already available to customers," said Dale Fuller, CEO of Borland Software. "Borland looks forward to continuing its long-standing collaborative relationship with Microsoft to deliver high-quality solutions for our mutual customers."
Systems integrators can extend the Visual Studio 2005 Team System and Microsoft's process guidance and prescriptive architectures to gain greater predictability in the development process.
"Visual Studio 2005 Team System offers maximum productivity using integrated tools while lowering risk and project-related costs through increased and continuous visibility into the overall project. This allows EDS to increase business agility for clients through configurable guidance, architectural guidance and life-cycle tools built on Windows Server System," said Stan Alexander, vice president of Technology Strategy & Architecture at EDS.
Facilitating Service Orientation With More Secure Web Services
Microsoft's service-orientation strategy focuses on enabling customers to integrate new and existing systems composed of heterogeneous technologies with Web services. To help developers build interoperable, security-enhanced Web services solutions, Microsoft today announced the immediate availability of Web Services Enhancements 2.0 for Microsoft .NET (WSE), a free add-on to Microsoft Visual Studio .NET and the .NET Framework.
Today more than 250,000 developers use WSE to build security-enhanced Web services that help improve business processes within and beyond corporate trust boundaries. Customers such as HP, the Ohio State University Medical Center, EDGAR Online Inc. and Siemens AG are already experiencing the benefits of developing advanced Web services solutions based on WSE 2.0.
The Ohio State University Medical Centre required a solution that allowed authorised users to remotely and more securely monitor, record and replay generated vital-signs data and correlate this data with medications administered in the operating room.
"Microsoft was the only company that offered an implementation of the Web services protocol specifications (WS-Security, WS-Trust, WS-Policy, WS-SecureConversation) required to make the project a success," said professor Furrukh Khan, director of technology for the Collaborative for Applied Software Technology, Electrical and Computer Engineering at The Ohio State University. "By using WSE 2.0, we were able to focus on the solution's business logic instead of writing security code. WS-Policy allowed us to simply install digital certificates and write a few hundred lines of XML that describes how the Web services are to use them. Another big enabler was WS-SecureConversation, which gave us the security that was required without sacrificing performance."
WSE 2.0 enables developers to build advanced Web services using the latest protocol specifications. Developers can use WSE to more easily enhance Web services security by incorporating WS-Security (based on the 2004 Organization for the Advancement of Structured Information Standards (OASIS) standard), including WS-Policy, WS-Security Policy, WS-Trust and WS-SecureConversation.
Additional features include extensible transports, support for custom policies, the ability to host Web services independent from IIS, and asynchronous messaging based on the WS-Addressing specification.
To further support integration of systems using security-enhanced Web services, Microsoft also announced the Technology Preview release of the BizTalk Server Adapter for WSE 2.0. Using this adapter, BizTalk Server customers can easily orchestrate new business processes out of security-enhanced, autonomous Web services, creating further levels of business agility using service-orientation design principles.
Using Web Services to Help Information Workers and Developers Harness the Power of Microsoft Office for IT
The Microsoft Office Editions are some of the most widely used applications in enterprises today, but customers typically have to leave the Microsoft Office experience when they want to access many kinds of business data. Developers now have the opportunity to create intelligent business solutions that address today's demanding business requirements while giving information workers the powerful, familiar user interface of the Microsoft Office Editions. In order to enable software developers to more powerfully leverage existing systems and information even when it is stored in multiple disparate back-end systems, Microsoft today released the technical beta of the Microsoft Office Information Bridge Framework.
The Information Bridge Framework provides developers with a set of tools and components to quickly and cost-effectively build smart client solutions that connect Microsoft Office Professional Edition 2003 to multiple enterprise systems via Web services. Information Bridge reduces the costs of solution development for IT professionals and increases flexibility and manageability of Office-based information integration solutions.
In addition, Information Bridge-based solutions empower information workers to easily find, access and work with line-of-business information within the familiar Microsoft Office environment.
The Information Bridge Framework provides the following:
* A client-side component that interprets XML markup, which describes the Information Bridge-based solution behaviour, including its user interface and user actions
* A server-side component that enables Web services to expose the data, views and actions embodied by line-of-business applications
* Information Bridge Metadata Designer, a plug-in for the Microsoft Visual Studio .NET development system that creates and manages solution metadata
"We're very excited about the possibilities of the Information Bridge Framework. Not only does it make it easier for our developers to build and manage integrated solutions that connect Office to our enterprise, but it also improves the productivity of our employees by building upon the Microsoft Office user interface," said Ken Meidell, chief information officer at Cascade Designs. "We were able to save money and improve our product development process significantly by building upon Information Bridge and Office."
They're sending that Security Update CD for free, throught UPS!
All of my friends have them, and some don't even have a computer.
I would think that Open Source software is at least as secure (if not more) as M$ products yet much LESS money is spent on security - thus this is a problem arising from M$'s strategy.
Anyone agree?
No, Linux is not just done by hobbyists any more you're portraying a rather archaic and out of date view on Linux. IBM, Redhat, Novell, Sun and even Apple contribute to the development of Linux. It's no longer the geek hobbyist OS you think it is.
If your somehow trying to make Linux look anyless professional than Windows is then you're wrong again. As a server OS many IT admins would consider Linux a very capable OS, with the exception on AD and Exchange.
Jason is a supporter of Microsoft, and I am a supporter of Open Source - so we don't see eye-to-eye on several issues. I will agree with you that his stetement isn't wholly accurate today as larger coprorations put more development into Linux.
However, he is correct that Microsoft is a corporation whose main purpose is to sell the best products they can make. Improving thier software is necessary (to improve computing experiences, and - cynically - to maximize their profits to provide the best return-on-investment for their shareholders).
Both camps have security as one of their primary thoughts when developing. No need to start making this a personal issue by singling out an individual participating in the forums.
Nobody working on open source found the first exploit, someone actually excercised the expoit against the Debian GNU/Linux project...a rather nasty way to "discover" a new exploit, wouldn't you agree?
Open source has no security guarantee.
If I didn't know better, I'd say that this guy is lambasting Microsoft for working too hard on security. It sounds like he's suggesting that Microsoft should back off on security so malware writers won't have to write nastier worms and viruses to accomplish their goals.
The implication here is that Bill Cheswick and his clients are already adequately protected against the current generation of worms and viruses. That he doesn't want to see Microsoft taking any action that will make his job harder by forcing him to protect against newer and nastier stuff. That he'd rather see the public at large sacrificed as easy targets for the bad guys so they'll leave him and his clients alone.
In fact, though, I don't believe that for one second. A check of his website, Lumeta, shows that Microsoft is one of his clients. There is no sane reason why he'd adopt that attitude. I believe he was merely commenting on the state of things to come. Besides, increased security risks means more business for him.
In the future, however, I'd suggest he do a better job of communicating his concerns to reporters so that his remarks won't be misinterpreted as in the above.
solution could be release security to a 3rd party company. full disclosure
You can't honestly beleive that Microsoft isn't making improvements, can you? Their OS security has increased several-fold since the Win9x days.
The increase in worms/viruses and other malware recently is more due to two things, in my opinion:
1) People still not patching their systems. 99.9%(my estimate) of in-the-wild exploits use a problem for which a patch has already been released!
2) More people on broadband than in years past - more PCs being left ON and connected 24/7. A very fertile ground, as many users have a problem with item #1.
That's half true, WinXP opened up some huge security holes with the introduction of raw sockets. Now that it's taken care of it's no big deal but raw sockets were only limited to win2k and nt I believe. Now since winxp is so main stream virus writers have a lot more to work with - with a OS + a NT kernal in it's background rather than the old and unwieldy 9x.
However I do agree, WinXP is more stable and secure today than 9x ever was.
Raw Sockets were never realistically going to be a problem.
Yeah. And both are an exercise in futility that won't make the United States or the world any safer.
that's some horrible reporting, as far as i can remember it (the missile test) was a success, costly and definitly over budget, but wasn't it 2 out of 3?
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.