domingo, 14 de outubro de 2007

Microsoft Security Paradigm Shift

There’s a lot to talk about security but my focus today will be regarding the shift of the Microsoft Security Paradigm.

Until a few years ago when someone talked about Microsoft Security to a crowd we could hear back a few laughs, so basically it became like a joke.We all know the security issues on Microsoft products until 2004, worms and virus like ‘Melissa’ (March 26, 1999), ‘I love you’ (May 4, 2000), ‘Code Red’ (July 13, 2001), ‘Blaster’ (August 13, 2003), and ‘Sasser’ (April 30, 2004) were easily spread over all computers connected to internet and corporate networks.

At that time networks were flooded with traffic generated by worms, desktop computers and servers got offline or completely shutdown, people lost data, corporate IT teams were busy as hell trying to clean out virus and worms from computers, servers and networks, this was not only chaotic it was an IT Armageddon.

Users lost their trust in Microsoft products and this was something unacceptable for everybody, not only for you but even for Microsoft.
It was the right time for the MS Chairman to ask something like - Why to develop new products and features if customers do not trust Microsoft products?

Yes, it was true, something needed to be done!

Today the MS products security is much, much better, either way is still not perfect but we all know that there's no such thing as perfect security. The whole reason for this is because a lot of things have changed inside Microsoft and it did represent a turnover on this matter, what I can call of the shift of Microsoft Security paradigm.

Today Microsoft is on the top of security for Operating systems, applications, business solutions and this is not joke for you guys.
You might ask about - What happened? What has changed?
There is one simple and broad answer for that, Trustworthy computing!

So what the heck is Trustworthy computing???
"Five year ago, Microsoft committed to Trustworthy Computing. Today, that commitment is a core company tenet. We mark the five year milestone with an examination of our progress to date and an affirmation of the promise of Trustworthy Computing: to provide secure, private, and reliable computing experiences for everyone based on sound business practices."

Ok, ok, it sounds like marketing stuff, so let’s start digging into this.

The big announcement of the commitment to improve security at Microsoft arose on 15th of January of 2002 when BillG sent out an email to all Full Time employees showing is vision about the new priority on Microsoft, and guess what… it was regarding Security.

And why security?
BillG: “In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software.
So now, when we face a choice between adding features and resolving security issues, we need to choose security.
…we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.
This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve.”

This is when Trustworthy computing came out of the box with 4 key elements such as Security, Privacy, Reliability and Business practices.


Security: “The security of our customers' computers and networks is a top priority, and we are committed to building software and services to better help protect our customers and the industry. Our approach to security includes both technological and social aspects.”

Privacy: “We believe that people have the right to not receive unwanted communications. We also believe that people need to be able to trust that their personal information is used appropriately—and that any use of that information provides specific value to them.”

Reliability: “We are committed to improving the quality of the technologies, products, and processes that customers need for systems that are reliable and that perform as intended and expected.”

Business practices: “We strive to maintain the highest standards in our business conduct, to ensure integrity and transparency in all of our business practices, and to address society's ethical, legal, and commercial expectations.”

If you want to learn more about Trustworthy Computing follow the link below:
http://www.microsoft.com/mscorp/twc/default.mspx


So, I think that it is the right time to ask about what was the reflex of Trustworthy Computing concept since 2002 in what Microsoft has done and is doing.
I will try to cover the essentials about this in the following lines.

New tools like Windows Live One care or Microsoft Windows Malicious Software Removal Tool have been provided to help customers with Security and Privacy. But the major improvements were not only based on tools, it was also the code. Yes, the code!

Microsoft developers are anchored to a process named Security Development LifeCycle (SDL) and automated tools that help to identify programming mistakes and security flaws on the code.
The SDL and some other processes contributed to reduce the number of security-related design, coding defects, and to reduce the severity of any defects that are left.




A pure example of this is Windows Vista. It was the first Microsoft Operating System developed end-to-end with SDL and the results are out there, it is simply the most secure, privacy-enhancing and reliable OS ever shipped by Microsoft. I will show you the facts and results of Windows Vista security improvements right away.

If you want to do a deep dive on Security Development LifeCycle (SDL) I advise you to read the Michael Howard's article "A Look Inside the Security Development Lifecycle at Microsoft". http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/default.aspx

About Michael Howard:
Michael Howard is a senior security program manager at Microsoft focusing on secure process improvement and best practice. He is the coauthor of 19 Deadly Sins of Software Security (McGraw-Hill Osborne, 2005) and Processes to Produce Secure Software (Dept. of Homeland Security National Cyber Security Division).

Now it is time to show you some facts about the Microsoft improvements under the Security surface. As I told you before the Windows Vista was the first Operating System developed end-to-end with SDL. More than a half a year has passed since Windows Vista is out for business and consumers, it is enough to get some good pointers about the results of SDL.

One good way to prove the excellent results of SDL is by looking for the vulnerability indicators of Windows Vista and compare it to its predecessor Windows XP and other competitors. This is not an easy task to do and there’s a lot of information to collect and compare.

I will not drain my brains with this because one guy has already done it. His name is Jeff Jones and he has gathered vulnerability indicators about the first 6 months of availability for Windows Vista, Windows XP, Red Hat Enterprise Linux 4 WS, Ubuntu 6.06 LTS Desktop, Novell SUSE Linux Enteprise Desktop 10, Mac OS X 10.4 (Tiger) and did a comparison of all.




These graphs are a really good picture of how SDL contributed to reduce drastically the number of vulnerabilities in Windows Vista. This process is not exclusive for Vista it was extended to all other Microsoft software.

Check in detail the Windows Vista 6 Month Vulnerability report on the link below:
http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf

About Jeff Jones:
Jeff Jones is a Security Strategy Director in Microsoft’s Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products.


And what about tomorrow? There is any possibility to occur a new Security Paradigm shift and regress to what it was before?

Well… I don’t know, no one can predict the tomorrow’s challenges on security, even thou I really doubt that Microsoft will not be at least one step ahead from other competitors.
There’s something we shall not forget, as a teenager Bill had a vision that every business and household would have a computer, it was some kind of bizarre at that time but he made it possible in our today’s world. Regarding security he thinks that Computing should be as secure and reliable as Telephony or Water services and we should have the same principle of Trust, which means we simple don’t care about it in a daily basis.


His ability to see beyond the current models of thinking is what avoided a paralysis in the Microsoft security paradigm shift and is what turns a vision into reality.

R-Tape Loading error,
Luís Rato

Sem comentários: