Microsoft Corp. took up the lion's share of attention on the final day of the RSA Conference 2002 last Thursday, as a constant stream of show attendees huddled around the software giant's booth to glimpse a demo of its upcoming Baseline Security Analyzer vulnerability scanning product.
Due for release in March, the free download tool replaces Microsoft Personal Security Advisor and is designed to provide simplified controls and more detailed step-by-step instructions to unearth and repair Microsoft product holes, said Scott Culp, manager of Redmond, Washington-based Microsoft's Security Response Center. The program outlines updated analysis information directly from Microsoft Security Bulletin in real-time.
According to Culp, instituting simplicity is the key to nudging end-users to proactively monitor the constant flux of discovered vulnerabilities and implement made-to-order patches. "Complexity is the enemy of security. If you can't manage it, you can't secure it," he said.
Despite coming under heavy fire last year due to the damage from the resourceful Nimda virus, Microsoft has pointed out that it did, in fact, have patches available for download to secure the vulnerability months in advance of the epidemic.
Baseline Security Analyzer supports Microsoft IIS 4.0 and 5.0 and Microsoft SQL Server 7.0 and 2000. Microsoft Exchange support will be embedded into a future version of the scanner.
Culp said Microsoft has mandated that thousands of its employees, including himself, attend new security training classes to help achieve across-the-board company and product security commitment outlined in Bill Gates' memo on improving Microsoft security last month.
Microsoft is already taking steps to alter its products to ship to customers with default security configurations. For example, Culp said Microsoft's .Net server IIS 6.0 will ship "turned off" by default and will assist customers with a walk-through wizard to get the product up and running.
Culp also said that the auto update feature in Windows XP is the first step to achieving a Microsoft long-term security model that automatically updates machines and services as an intelligent "organic and self-healing" mechanism when needed.
"In the [security] world being envisioned, Microsoft and the industry would achieve a level of quality where people have enough trust in products to have fixes installed automatically. Clearly we are not there today," he remarked.
Peter Lindstrom, a security analyst at Framingham, Massachusetts-based Hurwitz Group, said Microsoft's agenda to improve its security is admirable, but the software behemoth must be able to translate progress into proof for customers.
"It's hard to have a problem with someone who claims security is becoming more and more important," Lindstrom said. "But the big question in my mind is how will [Microsoft] follow through and how till they be able to test it?"
Desk edit by: No editor