Visual Studio .NET puts MS security push to test
- By John K. Waters
True to form, Bill Gates described last week's coming out of Visual
Studio .NET as an "industry milestone." In at least one respect, Gates's
hyperbolic proclamation is more than mere marketing mush: Visual Studio
.NET is the first Microsoft product to emerge from the company's new
Trustworthy Computing initiative.
"The Visual Studio .NET release truly is a milestone," said Rob Enderle,
research fellow at Giga Information Group. "It was the first product
impacted by the new security emphasis at Microsoft, which was a
company-wide initiative that came right out of Bill Gates's office."
Some industry watchers speculated that Gates's epiphany may have been
precipitated by the September terrorist attacks, but others note
Microsoft has long been plagued by crackers and virus creators who
target market-dominating Microsoft products like Outlook, Exchange,
Hotmail and the MSN Web network. High-profile attacks, such as last
year's Code Red and Nimda, caused extreme concern at the company's
biggest corporate customers. Some were said to be expressing concerns
about investing in software with perceived security problems.
"When yours is the dominant product, as Microsoft's OS and
productivity apps are," noted Enderle, "you're the target. And if
you're Microsoft, even if you aren't dominant, you're still the one
After a breach discovered last September in its free Hotmail
service, Microsoft officials decided to turn to an outside auditor
to test the service's security. In January, Gates issued a memo to
his employees, which in part read: "Trustworthy computing is more
important than any other part of our work ... the highest priority
... when we face a choice between adding features and resolving
security issues, we need to choose security."
Gates then publicly pledged to transform his company's approach
to security and privacy. Putting its money where Gates's mouth is,
Microsoft created a centralized security group that reports high
in the organization and focuses on security during the application
development process. MS gave the group a healthy budget and hired
former Department of Justice computer-crime buster Scott Charney
as chief security strategist. Charney starts his new job in April.
The security audit of Visual Studio .NET was conducted manually,
Enderle said, because Microsoft has yet to develop an auditing
tool, which may be one of the reasons it took the company four
years to get the product into commercial release.
"Security has become the by-word for all future Microsoft
products," commented Enderle. "And that's going to cause them to
go through a longer development cycle. But the end result should
be vastly more secure products. And when I say 'vastly' more
secure, I mean vastly. At the end of the day, being under siege is
forcing Microsoft to build the strongest wall."
John K. Waters is a freelance writer based in Silicon Valley. He can be reached