Many software vendors are caught between a rock and a hard place, trying to balance the need to support legacy software against the threat of malware and malicious hackers.
Microsoft is perhaps the most visible example of the conflicts between legacy requirement, usability and security, but the company uses methods of managing the security risk, according to Michael Howard, a senior security program manager at Microsoft’s secure Windows initiative group.
Howard says a key to Microsoft’s security efforts is the Final Security Review (FSR), a comprehensive security examination of a product before releases. Products must pass before they ship, Howard says. “We have veto rights.”
Service Pack 2 for XP, due for final release later this month, passed its FSR in May, he says. The process took 10 weeks.
Other software vendors have expressed interest in the security programme at Microsoft. There are no plans to open the FSR to other companies, but Howard says certification will be required for software to run on Longhorn, Microsoft’s next-generation OS.
“To be in Windows [Longhorn] you must have done A, B and X,” Howard says. “The Windows certification group looks after that.”
Threat modelling is used to identify what type of vulnerabilities are most likely to occur and how an attacker is likely to attempt to find and exploit any weaknesses. Howard, who presented a session at Tech Ed on threat modelling, believes it’s impossible to build secure software unless the threat is understood.
He also works with some universities in the US and Britain to teach students how to consider security when writing and designing applications.
“The average graduate — let’s be honest — just doesn’t know how to build secure software,” he says. “There shouldn’t be anything hard about it.
“There are actually some very, very simple skills you can teach people.”
Still, some software can never be truly secure, particularly legacy code that is still needed by some customers or ISVs — for example, software that performs a function that necessarily compromises security, or offers a legacy API function that was not designed with security in mind. Howard agrees that some software included in even the most recent OS — Windows Server 2003 — will never pass an FSR, but Microsoft does recognise and manage the risk.
“There’s code that is essentially in kind of a maintenance mode. We tested a lot of stuff, recognising that it has defects,” Howard says.
He offers NetDDE is an example. NetDDE provides a shared clipboard among hosts on a network. Some customers still use it and it is still available, but Microsoft has now disabled NetDDE by default.
In addition, NetDDE still has an owner at Microsoft, who is familiar with its features and its flaws and can be called upon if problems arise. “It’s not just orphaned,” says Howard.
Legacy security problems aren’t limited to the Win32 API, he says. Microsoft has made 400 function changes in the C runtime library and submitted those changes to ISO, the standards body that oversees the C language, for adoption in a future version of C.
Microsoft’s C compiler will throw a warning when the insecure functions are used and will suggest a replacement, Howard says. Developers who ignore the suggestions and continue to use the older functions will probably find their product won’t get certified for Longhorn.
Similarly, Microsoft now tends to make security and privacy judgement calls on behalf of the user. Dialog boxes don’t inform the user if they are seen as a distraction and quickly clicked away. “People will read dialog boxes as ‘Do you want to get the job done’,” says Howard.
Ben Smith, a Microsoft security strategist, says secure default settings reduce the potential mistakes a user can make. “I think very much what software should do is eliminate the amount of knowledge a person should need to use something,” he says.
Smith believes computers are in now in a security Bronze Age. He’s not expecting the Renaissance anytime soon: the next step, he says, will be a kind of medieval or feudal period when governments and large corporations will have very secure, very expensive systems.
That doesn’t mean the rest of us will be left as cyberserfs. Eventually that technology will become affordable and useable enough for the rest of us, Smith says. “That’s typically how technology works.”