Microsoft changed its software engineering processes for the forthcoming Windows 2000 operating system to design a more secure product, a top Windows executive told attendees at the RSA 2000 conference on Tuesday.
Company officials also announced that Windows 2000 will ship to international customers with 128-bit encryption instead of 64-bit encryption, an outgrowth of the US Government's recent announcement to lift some encryption export controls.
"Windows 2000 is the first wave of re-engineering security inside the company and raises the bar for security," said Brian Valentine, senior vice president of the Windows division at Microsoft. Valentine said the operating system is the most secure the company has ever shipped. "Until we give commitments to our customers, we are not going to get the confidence levels of our customers and consumers to trust us. We need better products that are simpler, more reliable and more secure."
According to Valentine, Windows 2000 was designed to be resistant to attack using a new development process in which programmers put each module through specific security criteria. He said a dedicated 15-person team of outside consultants spent 18 months vetting the software for potential flaws, and outside experts also evaluate the code. In addition, 100 key customers were asked to evaluate beta versions of the operating system for possible security flaws. "There are security and privacy issues that we have to address or we will stall the industry," Valentine said.
A security manager from a large manufacturing company, who asked not to be identified, said she was pleased that Microsoft asked her firm to make suggestions for improving the security of Windows 2000. "I applaud their action in soliciting customers to provide feedback and meeting our requirement and listening to us," said the manager, who attended the show. "It's a very complex program, and management could be a nightmare. But if they train users and customers, it could work."
Todd Kreuger, founder of San Diego-based 2earn, which develops telephony and Web-based applications, said he was extremely pleased with the security of the beta version of Windows 2000 that he tested. "It's better than NT 4.0, and data access is awesome using multithreaded applications," Kreuger said.
But critics at the RSA conference said the sheer complexity of the operating system, due to be released on February 17, will introduce new security holes that can't be anticipated. Past versions of the popular operating system were plagued by bugs that made systems vulnerable to security exploits. Members of a panel called "Securing the Internet: When Cryptography Isn't Enough" said that despite Microsoft's efforts, they didn't consider Windows 2000 secure.
Bruce Schneier, chief technology officer at Counterpane Internet Security in San Jose, noted that Windows 2000 has 40 million to 60 million lines of code and there are, on average, five to 15 bugs per thousand lines of code. He said that despite Microsoft's effort to vet bugs in advance of the product launch, the company would need to employ twice the number of people required to design the software to debug it. "Complexity is the enemy of security," Schneier said. "As [Windows 2000] gets more complex, we are seeing more bugs."
Members of the panel noted that Windows 2000 is made up of modular components that may defeat security precautions by interacting outside the operating system or using plug-ins that might not comply with security testing for a specific implementation. "Tight coupling and integration of the features make it less secure," argued Steven Bellovin, a security expert at AT&T Labs.
Custom configurations may also introduce unanticipated security flaws, panel members said. They also questioned the security of ActiveX controls and digital certificates embedded in the operating system.
Valentine asserted that any security holes in products need to be plugged by vendors and not passed along to end users, not all of whom can be trusted to adequately handle security issues. "It's incumbent on us to really get serious about this and move it forward," said Valentine.
Microsoft announced at the conference that it has issued the "Microsoft Security Commitment", which isn't a guarantee of secure programs but a statement that the company takes security seriously and will respond swiftly to any potential problems. Valentine said the company has relaunched its 24-hour Security Response Center to better handle concerns from customers. Microsoft said it has also issued clearer guidelines for IT managers to implement security configurations and has made Windows 2000 compatible with the IPSec network security protocol.