Microsoft: Code is better, not perfect

Over the last few years, Microsoft has aggressively sought to change the image that its products have poor security. The company says that Windows Vista, which has been released to manufacturing, will be its most secure operating system to date, representing a top-down change in how its programmers develop code with security in mind.

Stephen Toulouse, senior product manager for the Security Technology Unit, spoke with IDG News Service about how Microsoft’s security teams approach problems with software and the current threat landscape. An edited transcript of that interview follows.

IDGNS: It seems over the last few months there have been fewer vulnerabilities that would affect, say, millions of users. What is your perception?

Toulouse: To watch how the threat landscape has evolved has been very interesting. When you look back at where we were four years ago, we didn’t have the security development lifecyle, the operating system didn’t have a firewall. I think you are seeing more complex attacks, more social engineering. I think the simplistic attacks of the past with worldwide impacts are far fewer, and we expect that to be further reduced. But we can't let ourselves be complacent. I think what you’ll see in the future is far more defense in-depth in applications and in operating systems, and that is going to generate far more complex attacks. Attackers are not going to stop.

IDGNS: Do you think the number of fixes issued on patch Tuesday will fall with Windows Vista? How about with older operating systems and products?

Toulouse: My viewpoint on update Tuesday is it's impossible to predict the peaks and valleys of the operating systems that are out today. But one of the goals we have with each successive product that we make is that we learn the lesson and implement the new functionality and new security so that over time, you see a reduction not just in the number of vulnerabilities but their impact on the customer. So I would expect that with Windows Vista, that will be lower. You know that you can’t get the code perfect.

IDGNS: Will we know more about vulnerabilities found in Vista when the penetration testers who tested it a few months ago are no longer under nondisclosure agreements?

Toulouse: When we went to Black Hat in Las Vegas, we brought the product [Vista] with us and we handed out 3,000 copies. We were out of DVDs before the end of the conference. They take the code and have fun. It was pre-release version in July. They were free to bash on it. From our perspective, the security researcher input was unprecedented. They’re the experts. We didn’t have a lot of people come back and say ‘I found a vulnerability.”

IDGNS: A security vendor, Secunia AsP, recently claimed there was a vulnerability in Internet Explorer 7. Microsoft countered that the software is intended to work that way, even though it could be maliciously exploited. What’s your take?