Security Surcharge

With its year-old Trustworthy Computing Initiative, Microsoft is employing new tools to detect security flaws during development, and it's working with consulting, patch-management and other partners to alert customers and issue updates when problems arise. But when it comes right down to it, Microsoft really doesn't know what to do next. For its every step to shore up security, it's scrambling a step-and-a-half backward because of the increasing sophistication of hackers, many of whom target Microsoft products with a vengeance.

Speaking at the company's .Net developers conference a month ago, senior VP Brian Valentine admitted that Microsoft's products "just aren't engineered for security"--though he argued that other vendors' products are equally vulnerable. Even as Microsoft and others improve security, Valentine said, hackers will devise new ways to break in. The stats don't lie: In just the first half of this year, the total number of system vulnerabilities reported to CERT were about equal to all those reported in 2001.

The problem has more to do with sophistication than sloppiness: Software is more complex, making exhaustive security testing extremely difficult. Reusable application objects can pass along bugs faster than ever. Black hats are getting smarter, while amateur hackers have easier access to tools of the trade.

Yes, Microsoft and other vendors are culpable; they continue to crank out new versions of software and systems before they can be tested adequately. But vendors aren't rushing product out the door as fast as they used to, either because customers don't have the money for incremental upgrades or they're demanding higher quality from the start.

Extreme VigilanceMicrosoft's software is hit the hardest, according to the conventional wisdom, because it's the most widespread and popular, not necessarily because it's less secure than rival offerings. Still, the more features Microsoft builds into Excel, Exchange, Internet Information Server, SQL Server, Windows and other products--and the more tightly integrated those products become with one another and the more third-party developers introduce their own bugs--the more prone they are to security breaches. Extreme vigilance, Microsoft argues, is the surcharge customers must pay for the ubiquity, feature-richness and compatibility of its products.

So are you and your company willing to pay that surcharge? At the very least, that requires implementing and enforcing a cogent IT security policy; keeping strict tabs on what users deploy; knowing where you're vulnerable and deploying the requisite firewalls, antivirus tools and intrusion-detection systems; and keeping current on software patches (enterprises now spend $2 billion a year just to investigate, prioritize and deploy patches, according to Aberdeen Group). That's what it's going to take to work in a Microsoft--or any--environment. Don't count on any single platform or security vendor to bulletproof your environment for you.