With its year-old Trustworthy Computing Initiative, Microsoft is employing new tools to detect security flaws during development, and it's working with consulting, patch-management and other partners to alert customers and issue updates when problems arise. But when it comes right down to it, Microsoft really doesn't know what to do next. For its every step to shore up security, it's scrambling a step-and-a-half backward because of the increasing sophistication of hackers, many of whom target Microsoft products with a vengeance.
Speaking at the company's .Net developers conference a month ago, senior VP Brian Valentine admitted that Microsoft's products "just aren't engineered for security"--though he argued that other vendors' products are equally vulnerable. Even as Microsoft and others improve security, Valentine said, hackers will devise new ways to break in. The stats don't lie: In just the first half of this year, the total number of system vulnerabilities reported to CERT were about equal to all those reported in 2001.
The problem has more to do with sophistication than sloppiness: Software is more complex, making exhaustive security testing extremely difficult. Reusable application objects can pass along bugs faster than ever. Black hats are getting smarter, while amateur hackers have easier access to tools of the trade.
Yes, Microsoft and other vendors are culpable; they continue to crank out new versions of software and systems before they can be tested adequately. But vendors aren't rushing product out the door as fast as they used to, either because customers don't have the money for incremental upgrades or they're demanding higher quality from the start.
Extreme Vigilance