Acknowledging "too many vulnerabilities in the product," Microsoft Corp. vice president Mike Nash said software must achieve "the same level of trust as a public utility" that supplies 120 volts reliably from every electrical outlet. Nash heads the security business unit that early this year enforced a 10-week stand-down of all development at Microsoft while 11,0000 coders learned about threat modeling and peer-reviewed each other's work.
Nash said Visual Studio.Net is the first product to emerge from the company's "security push process." Windows.Net Server 2003, he said, will come out somewhat later than planned because of the security push, and it will arrive with Web server features turned off, because they otherwise could present a security vulnerability if customers did not use them. He said the goal is to make software "secure by design, by default and by deployment."
The Microsoft.com Web site has become the test bed for all the company's enterprise-level products, Nash said, because "no uniform resource locator or domain has more hack attempts."
Nash said Microsoft chairman Bill Gates was prompted by the importance of software in daily life and commerce to consider security as "an industry problem." The company's security emphasis will not only be a change in philosophy but will change the behavior of its engineers and managers, he said. Microsoft aims to "reduce the number of vulnerabilities that customers find in the products," Nash said, by such means as rigorous reviews before release. "It is clear we have a lot of work to do," he said. "This will never be over. It has to be ingrained."