Is Microsoft serious about security?


If you don’t know already, here is an indirect answer. I’ll quote directly from Bill Gates latest speech:

Now, in terms of delivering on more secure systems, I think there are three general things that we do. The first is advancing the technology. We spend over US$6 billion a year on research and development. I’d say that over a third of that is directly security-focused, and the other two-thirds all tie in and relate to that security work, all the new code being reviewed and going through the threat model, a pretty dramatic thing there. So, big advances on the technology front, and I’ll spend most of my time talking about the milestones there and the road ahead there.

Note the text in red. It simply states that Microsoft is spending over two billion dollars yearly on security R/D initiatives.

While mind boggling, I would point out that this effort is still an ongoing process. Security is a hugely complex problem, and it is not just fixing buffer overruns in various Microsoft products. That, actually, it is just a small part of the problem. All our effort to ensure better education about how to secure their systems, automatic patch management systems, anti-spyware initiatives – it’s all there.

Comments (8)

  1. Anonymous says:

    I know Microsoft is serious about security, but it’s not perceived as such. One simple question would be: How old is the Trustworthy Computing initiative? About 3 years now, isn’t it?

    Let’s assume that during this time, Microsoft has spent $1bn/year on security (whatever that means, the term is very loose). That about makes $3bn, a huge amount of money.

    The reason the public doesn’t buy into Twc is extremely simple: Where has the money gone?

    Sure, there will be Prefast in Visual C++ 2005 and the tool works great in the beta and the community tech previews versions of VC++. It had already been available for driver developers (http://www.microsoft.com/whdc/devtools/tools/PREfast.mspx). Microsoft did acquire GeCAD, Giant, Sybari, and it added a security center to Windows XP in SP2. None of the ideas or the products that have been acquired and incorporated are not new and do not account for the amount of money Microsoft says it’s spending.

    Now, I do trust Microsoft but at least when it comes to public display of trust in Microsoft, I’m in minority. The fact that Mr. Gates says the same thing from one year to another ("we spend over…") makes everyone else things haven’t changed much in the mean time. For now, Microsoft just needs a clean image. The technology itself is good enough and can compete without problems with any given alternative on the market.

  2. Anonymous says:

    >> The reason the public doesn’t buy into Twc is extremely simple: Where has the money gone?

    Well, at least until now, I think that most efforts were focused in the following directions:

    1) A new infrastructure for patch management distribution.

    2) Developing Windows XP SP2 (another huge effort, especially considering the time limitations to get it out of the door). Similarly, the security push for Windows XP SP1 and Windows Server 2003 (RTM and SP1), and other Microsoft products as well…

    3) User education!

    Security is an ongoing process that will not end up in one year or two. What we had until now is just the beginning, if you ask me… 🙂

  3. Anonymous says:

    Ovidiu is an untrustworthy source, he is coming to work for Microsoft in the near future and is seen to be sucking up to the powers that blog even if he isn’t.

    That said, i see Microsoft have excellent security teams, and bad management. Their willingness to constantly put backward compatibility above security is bad. Example: zone models in IE instead of granular permissioning. (For the record choosing backward compatibility over functionality is "OK" although annoying for power users, but over security? Never!).

  4. Anonymous says:

    >> Their willingness to constantly put backward compatibility above security is bad.

    I agree that in the past Microsoft had a bad history to do whatever changes in a service pack while maintaining the backward compatibility. This had unfortunate effects of keeping low security – for example the RPCSS ports were open in Windows 2000 or even XP (RTM and SP1)… The truth is (and always be) that blocking old features is a deployment blocker for more secure versions of an OS. In many cases, customers are simply not willing to update their Windows if this broke things. And this makes the customers even more vulnerable since they have maintain an old Windows version.

    But this state of things had a dramatic reversal starting with the latest service pack (XP SP2). These service packs are simply more secure since, by default, certain features are either turned off by default, or hardened for additional security. These days the TOP priority is to maintain full security. Application compatibility is only a second priority.

    The same principle is also applied in the latest service pack of Windows Server 2003 (SP1).

  5. Anonymous says:

    "A new infrastructure for patch management distribution."

    I’ll wait and see Microsoft Update and WUS up and running. However, this is only half a step in the right direction. Third party applications can’t rely yet on a platform for automatic updates. So far, most of them have their own updating mechanism; the most annoying thing about these custom updaters is that they don’t work in LUA scenarios – in order to update anything, you need to log in as an administrator and run the app again.

    "XP SP2…"

    SP2 was a huge step, but Microsoft has a long way to go until people will perceive its products as trustworthy.

    "User education"

    I’d say developer education here 🙂 Applications not working in LUA scenarios are just the first example I can think of. How many developers do you think do threat modeling on their apps?

    Whatever: I try hard not to respond to anonymous cowards. However, you should note that I’m the most trustworthy source of my biased, subjective, personal opinions in the world 🙂 I can’t really see how the fact that I’m starting work at Microsft this summer would influence my comments. If you care to comment, you have my blog URL in my signature. Drop me an email, with a real name and a valid email address.

  6. Anonymous says:

    >> "User education"

    >>> I’d say developer education here 🙂 Applications not working in LUA scenarios are just the first example I can think of. How many developers do you think do threat modeling on their apps?

    No, no – this is something entirely different. By (end) user education I meant all this evangelization effort to convince users that:

    1) They have to install a real antivirus program on their system

    2) They have to install Windows Update and leave automatic updates turned on

    3) They should NOT open random program sent by email from people that they do not trust.

    4) They should NOT install random programs from web pages that they not trust.

    5) etc.

    I do not know the numbers myself but I know that it takes a lot of money to do this education through web sites, ads, etc. Especially when you have hundreds of millions of customers…

    That said, yes, developer education is equally needed.

  7. Anonymous says:

    I feel that the main security problem is the Intel x86 processor concept as well as some other microprocessors (let’s not forget that those micro processors were not created originally to power complex mission critical systems).

    In particular why is Input/output not completely separated and prohibited for interfering with main memory.

    This is how some good old mainframe system work:

    – Input/output buffers are in separate memory areas and a buffer overflow is not allowed.

    – Device drivers are in a separate area and can not interfere with the operating system memory controled area.

    – In addition to this the operating system is protected from any change by a program.

    I realize changing this would necessitate some huge rework, but is it not time to go away from the now almost 30 years old x86 processor concept, especially given the growing security risks and the growing importance of security?

    I believe it is more than time to completely rethinck the basic system concepts (hardware and operating system).