Security Progress at Microsoft

If you have not already done so, I would urge you to take a look at Bill Gates' “Microsoft Progress Report: Security” at https://www.microsoft.com/mscorp/execmail. One thing that will hit you is the shear breadth of effort being undertaken at Microsoft in the security arena. And by security, I don't just mean crypto, I mean quality and attack resilience too.

As some of you know, I spend all my time working on security engineering; helping engineers (developers, designers, program managers, testers, documentation people, architects and the odd VP) “do the right thing” from a security perspective. It takes time to see the results of your labors when you start a mammoth undertaking like Trustworthy Computing, but I really feel like we are starting to see real progress. And I mean REAL PROGRESS. Now don't get me wrong, there is still a huge amount of work to be done, but some of the early indicators in Bill's email are, for me anyway, very encouraging:

The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers. The number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release. With Exchange 2000 SP3, there was just 1 bulletin in the 21 months after its release, compared to 7 bulletins in the 21 months prior.

To me, the most telling figures are the Windows figures:

  • 320 days after the release of Windows 2000, we had issued 40 important or critical security bulletins.
  • 320 days after the release of Windows Server 2003, we have issued 9 important or critical security bulletins.

Once again, don't get me wrong, that's still 9 security bulletins, but 9 is MUCH better than 40! And we're seeing this trend across other products too.

There's one figure not in Bill's email, and that is the number of security bulletins issued against IIS6. So here's a pop-quiz, we're nearly at the one-year anniversary of the release of Windows Server 2003 and IIS6, how many security bulletins have been issued for IIS6? Zero. I'm not saying there are no security defects in IIS6, I have no doubt there are. But I like zero! I like zero a lot!

It's warming to see all the work we've done in the last two years starting to pay off. All the training, documentation, root cause analysis, process improvement, threat modeling, security pushes, security reviews, code changes, attack surface reduction work, penetration testing, automated source analysis, compiler improvements, heap improvements and much more has been worth every penny.

Now onto the next two years!