Stakes are High for Vista Security

There’s a lot more at stake in Microsoft’s new Vista operating system than many people realize. Sure, it’s a new operating system and it needs to fight its own fight for market share, but I think we’re probably all pretty realistic about the inevitable outcome in that fight. What’s at stake is a new way of thinking about security at Microsoft.

Many of us no doubt remember Chairman Bill’s now infamous 2002 memo to all Microsoft employees in which he put product security as the top priority for the company. Indeed, he went so far as to tell them that security concerns would trump new features in software products. That’s a significant and bold statement for any software development company and it is to be applauded. Great stuff, Bill!

But here it is 2007 and what has really changed? We saw some significant security advances in the XP family, most notably in service pack 2 (“SP2”). Numerous SP2 security enhancements were at last “opt-out” and not “opt-in,” meaning that, for the first time, security features such as the Windows firewall were enabled by default. Again, this is great stuff and should be loudly applauded. I should note that the Windows firewall was available prior to SP2, but many/most users were blissfully unaware of it because it wasn’t enabled by default. (Boo hiss! Bad Microsoft!)

Related Articles

Mac vs. Linux: Which is More Secure? Is the Mac Really More Secure than Windows? IT In 2007: Budget and Trends The Emerging Dell-Linux-Apple War FREE IT Management Newsletters bITa Planet CIO Update Intranet Journal Update Datamation IT Management Careers Datamation Newsletter Grid Computing Planet HTML E-Security Planet Newsletter E-Security Planet HTML DRM Watch HTML

But XP was released in late 2001, early 2002, so it couldn’t have possibly benefited in any meaningful way from Mr. Gates’s new security policy statement. An operating system takes years to develop, and no doubt the vast majority of the development that went into XP took place long before the developers had even the faintest hint of his intentions.

And then along comes Vista, some five or so years later. By all accounts, the code under Vista’s hood was largely a thorough re-write of prior XP and Win-2000 code. And what’s more, it’s the first full operating system that Microsoft developed from the ground up using its new Security Development Lifecycle (SDL).

Several papers and even books have been published detailing the different aspects of the SDL process. In mid-2006, Michael Howard and Steven Lipner published an excellent book on the SDL – it should be read by anyone who develops software.

But, outside of a relatively small (but growing) cadre of software security practitioners, not a lot of folks even know the SDL exists. And yet, in a very real way, the SDL is at least as much on the line here as Vista itself.

And with the first Vista-affecting zero-day attack surfacing just last week, I really hope this isn’t a harbinger of things to come. At least judging by the early accounts of this new security defect, it seems as though there’s every reason to expect it should have been caught through the extensive fuzz testing that’s an integral part of the SDL’s security testing regimen. There are even early indicators that this flaw—or at least a substantially similar one—was reported to Microsoft in XP a couple years back.