To address security vulnerabilities with its products, Microsoft is pursuing a strategy that Microsoft strategist Craig Mundie summarizes as "SD3"—secure by design, secure by default, and secure by deployment. All of Microsoft’s product teams have begun to adopt this strategy, and while some areas are showing measurable improvement, the strategy as a whole has yet to produce consistent results.

SD3

Microsoft product divisions tend to work autonomously, with little direct management from the company’s senior managers. In an attempt to help product divisions improve the security of their products, the company is pursuing a strategy that consists of three parts.

Secure by design. Security must be a fundamental part of the design of every feature in every product. The goal is to reduce the number of security bugs or vulnerabilities that are present in new software. To accomplish this goal, security must be a factor during all phases of product design, from creating the specification through writing the code and testing the product.

Secure by default. Security must be preserved during installation and configuration of every product. The goal is to create default installations and configurations of products that are more resistant to attack. To accomplish this goal, software must install in its most secure configuration and stay that way until the customer takes informed steps to loosen it.

Secure by deployment. Security must be preserved throughout the life of every product. The goal is to ensure that deployed software remains free from known vulnerabilities or security weaknesses. To accomplish this goal, Microsoft must respond effectively to new threats or newly discovered vulnerabilities through tactics such as issuing appropriate documentation and patches in a timely fashion.

The security strategy was first articulated by Craig Mundie, Microsoft's chief technology officer for advanced strategy and policy, and it is being evangelized to the organization by Chief Security Strategist Scott Charney, who reports to Mundie.

Progress So Far

The Windows Division has been using SD3 the longest, since early 2002. For example, in Feb. 2002 the division halted development on Windows .NET Server so that the development team could receive security training and review the security of each feature (secure by design). More recently, it "locked down" Internet Information Server version 6.0 in Windows .NET Server so that the service is at its most secure—completely disabled—by default, and administrators must take deliberate installation and configuration steps to enable services that might weaken its security. Finally, the Windows Division has been working on a variety of free tools (such as the Baseline Security Analyzer and the Software Update Service for patch distribution) to help customers find and deploy necessary patches for Windows 2000 and XP.

For Microsoft as a whole, however, progress is uneven. For example, the Office and development tools divisions have addressed security by design through a review of their main products. However, far less is known about how other Microsoft divisions will address security by default; in particular, there is no information as to when "locked down" versions of the .NET Enterprise Servers or Office will be available.

Inconsistency Weakens Efforts

Inconsistency across products is the greatest problem still facing Microsoft as it addresses security, particularly in the area of "secure by deployment." For example, there are still many places where a customer has to look for patches (including the separate Windows and Office Update Web sites), and because Microsoft uses a variety of techniques to build patches, the free tools it supplies to detect whether or not a patch is installed cannot provide consistently valid results.

In the year since the Code Red virus struck Windows machines across the world, Microsoft has devoted substantial money and manpower to security via SD3. To show continued improvement, it will need to ensure that all of its traditionally autonomous product groups use those resources and apply that strategy consistently.

Resources

For more detailed information on SD3, including its relationship to Microsoft’s Trustworthy Computing initiative, as well as an examination of what Microsoft has done in each of these areas, what customers need to do, and what Microsoft can do better, see the Sept. 2002 Research Report, "Trustworthy Computing: Making Software More Secure."