Microsoft’s Windows Division has begun a one-month suspension on the development of Windows .NET Server while the development team gets additional security training and starts an ongoing security review of the Windows code base. Microsoft has also filled two key security positions, hiring Scott Charney as chief security strategist and making Mike Nash vice president of security business unit for the Windows Division.

Coding on Hold

Showing that it is taking recent security vulnerabilities and Bill Gates’s "Trustworthy Computing" memo to heart, the Windows Division has halted new code development during Feb. 2002 on Windows .NET Server, the next scheduled Windows version. (For background, see "Gates Puts Focus on Trustworthy Computing" on page 10 of the Feb. 2002 Update.)

During the code freeze, the Windows Division's program managers, developers, and testers are attending security training based on the recently published Microsoft Press book Writing Secure Code by Microsoft security experts Michael Howard and David LeBlanc. In addition, program managers are reviewing the specifications for their features, developers are reviewing their code, and testers are reviewing test plans and scripts to address security vulnerabilities.

Windows contains millions of lines of code, and it is not likely that every line of code can be examined in a single month, but the unprecedented feature-by-feature review by the previously ship-focused teams illustrates the Windows Division’s newfound desire to develop secure products. However, the effort is not yet companywide: the divisions that produce other widely distributed and vulnerable products such as Office, SQL, and Exchange have not started similar reviews.

New Security Strategist

Microsoft’s new chief security strategist, Scott Charney, joins Craig Mundie’s Advanced Policy and Strategy Group from PricewaterhouseCoopers (PwC). Charney’s background includes security service delivery experience at PwC, as well as security-related legal and legislative experience with both the U.S. Department of Justice Criminal Division’s Computer Crime and Intellectual Property Section and the Bronx County, New York, District Attorney’s office.

Charney replaces Howard Schmidt, who has left his role as chief security officer to become vice chairman of the federal Critical Infrastructure Protection Board. Like Schmidt, Charney will focus on developing strategies to enhance the security of Microsoft products, services, and infrastructures. A lawyer by background, Charney also appears well suited to help Microsoft lobby for security and privacy legislation.

New Security Product Head

Mike Nash, currently the vice president of content development and delivery (responsible for the microsoft.com Web site and MS Press), will be moving to the newly created position of vice president of the Windows Security Business Unit, reporting to Windows Division Senior Vice President Brian Valentine. Nash, an 11-year Microsoft veteran, is returning to the Windows Division, where he previously was the general manager of Windows product management. In the new position, which was created in fall 2001, Nash will be responsible for Microsoft’s Internet Security and Acceleration (ISA) Server and other forthcoming network security products. (For more information, see "Reorganization Focuses on Developers, Windows Server" on page 32 of the Dec. 2001 Update.)

Resources

For more information on the Microsoft Press book Writing Secure Code, see www.microsoft.com/PressPass/features/2002/jan02/01-24secure.asp.

For more information on ISA server, see www.microsoft.com/isaserver/.