Microsoft Sways Black Hatters with Vista Security Pledge
LAS VEGASWhen Microsoft launched its Trustworthy Computing initiative in 2002, many industry watchers doubted the seriousness of the software giant's pledge to improve the security of its products.
As the company prepares to release its Vista operating system in 2007, attendees of the Black Hat security conference said that they're now convinced the company has made significant progress to that end.
John Lambert, group manager of Microsoft's Security Engineering and Communications Group, gave show attendees a comprehensive overview of the security procedures that the Redmond, Wash., software maker has employed in developing Vista here on Aug. 3.
Among the topics Lambert shared about the much-awaited revamp of the Windows operating system were specific details of the work done under its SDL (Secure Development Lifecycle) project, which is aimed at eliminating potential vulnerabilities in the software's code before Vista is shipped to customers.
From applying tools meant to automate and strengthen the firm's ability to find and track potential bugs in Vista's code, to hiring outside security experts to poke holes in the software, Lambert emphasized that Microsoft has tried to examine every aspect of its development process to ensure that Vista will be "the most secure operating system that Microsoft has ever shipped."
Anti-virus market leader Symantec has published several reports identifying potential loopholes in beta versions of Vista, but the security vendor concedes that Microsoft has made progress in eliminating flaws with each successive release of the previews.
By standing up in front of the Black Hat crowd, which includes everyone from high-ranking corporate IT security executives to malware code writers, Microsoft is clearly lending a level of transparency about its security work that would have been unexpected of the vendor in years past.
Previous iterations of Windows have required repeated security updates to address large numbers of vulnerabilities that have been at the center of many computer viruses, such as the notorious MyDoom attack.
Attendees of the show, being held here from July 31 through Aug. 3, seemed impressed by what they heard from Lambert and lauded Microsoft's security work as promising in reducing the number of vulnerabilities that will come onboard when Vista arrives in early 2007.
"They've definitely made progress; it should be much more secure," said Dave Opitz, a security analyst at Loyola College in Baltimore. "Maybe not secure enough, but what they've achieved [compared to earlier versions of Windows] is impressive."
Opitz said that it's still hard to decipher how much of Lambert's presentation was merely savvy marketing, but the concerted effort to better scour the product's underpinnings will certainly have a positive effect, he said.
"You still have to wonder how thorough they have been, but they've clearly been more aggressive about going over the code, which should help," Opitz said.