News

Visual Studio .NET puts MS security push to test

• By John K. Waters
• February 19, 2002

True to form, Bill Gates described last week's coming out of Visual Studio .NET as an "industry milestone." In at least one respect, Gates's hyperbolic proclamation is more than mere marketing mush: Visual Studio .NET is the first Microsoft product to emerge from the company's new Trustworthy Computing initiative.

"The Visual Studio .NET release truly is a milestone," said Rob Enderle, research fellow at Giga Information Group. "It was the first product impacted by the new security emphasis at Microsoft, which was a company-wide initiative that came right out of Bill Gates's office."

Some industry watchers speculated that Gates's epiphany may have been precipitated by the September terrorist attacks, but others note Microsoft has long been plagued by crackers and virus creators who target market-dominating Microsoft products like Outlook, Exchange, Hotmail and the MSN Web network. High-profile attacks, such as last year's Code Red and Nimda, caused extreme concern at the company's biggest corporate customers. Some were said to be expressing concerns about investing in software with perceived security problems.

"When yours is the dominant product, as Microsoft's OS and productivity apps are," noted Enderle, "you're the target. And if you're Microsoft, even if you aren't dominant, you're still the one to hack."

After a breach discovered last September in its free Hotmail service, Microsoft officials decided to turn to an outside auditor to test the service's security. In January, Gates issued a memo to his employees, which in part read: "Trustworthy computing is more important than any other part of our work ... the highest priority ... when we face a choice between adding features and resolving security issues, we need to choose security."

Gates then publicly pledged to transform his company's approach to security and privacy. Putting its money where Gates's mouth is, Microsoft created a centralized security group that reports high in the organization and focuses on security during the application development process. MS gave the group a healthy budget and hired former Department of Justice computer-crime buster Scott Charney as chief security strategist. Charney starts his new job in April.

The security audit of Visual Studio .NET was conducted manually, Enderle said, because Microsoft has yet to develop an auditing tool, which may be one of the reasons it took the company four years to get the product into commercial release.

"Security has become the by-word for all future Microsoft products," commented Enderle. "And that's going to cause them to go through a longer development cycle. But the end result should be vastly more secure products. And when I say 'vastly' more secure, I mean vastly. At the end of the day, being under siege is forcing Microsoft to build the strongest wall."