Microsoft and Security: An Oxymoron?
During the past few years Microsoft has been promoting improved security for its products, especially after the DOS-based foundation of its operation systems begins to be replaced by its new, industrial-strength kernel found in XP.
Microsoft is to be commended for its newfound security religion and attempts to add security application, including embedded firewall services, among others, to its new operating system releases.
Beyond Microsoft, the new operation system forces third-party software makers to use new XP services for applications to access memory, device drivers, and network software services. And certified drivers are strongly encouraged. This formalism will, over time, further reduce software problems and risk for Microsoft and its customers.
However, IS-buyers and Microsoft are now learning firsthand that coping with software glitches demands thinking outside the box of traditional security point solutions.
The Broader Problem, Writ Large
The problems facing all IS buyers and software suppliers, not just Microsoft, is the result of several contributing factors:
- The gigantic growth in the size of software source code, making security testing impractical;
- Reusable data-application objects that act as incestuous cousins, making object-integrity and object-interaction testing very difficult; and
- A widespread lack of security testing skills and methodologies in the industry, making security testing impossible.
Unfortunately, the integrity problems facing all software suppliers are not amenable to simple, traditional, and well-known security fixes. Rather, the problems are systemic in nature, due to data-application objects that are routinely provided with uncommon privileges to operation with no controls – and little auditing.
Beyond Viruses: Software Microbes
A new generation of software applications, based on objects that commingle data with application logic, is now commonplace.
New software tools – e.g., Java, scripting languages, and XML, among others- are making it more convenient and less costly for IS buyers and software suppliers alike to develop, deploy, and maintain new applications. Applications built from these tools are being deployed on desktops and back-end systems, with e-mail and Web servers, to support a wide range of business processes, including customer management, partnering, and supplier collaboration activities – among others.
However, these same tools are making it much easier for low-skilled vandals to exploit the soft underbelly of these applications. Moreover, because the new applications mix data and logic, thieves are finding rich treasure troves that heretofore would have been more difficult to find.
|Other Aberdeen Reports on CIN|
CIOs’ Top Application Investment Priorities for 2002
Will WideSky Help EMC Morph from Caterpillar to Butterfly?
Worse, the popular press continues to mislabel the problem as traditional software viruses. However, what pass for software viruses today are actually combo worm-Trojan horse-microbes.
Microsoft and Everyman’s Dilemma
The dilemma for IS buyers and all software suppliers, not just Microsoft, is determining how to combat the problem of commingled data-object software, whose tools are now being used to create parasitic software microbes.
When looked at in the context of historical software defect reports of all technology suppliers, Microsoft actually has a good track record. Unfortunately, Microsoft appears to be taking the heat for a problem that it alone did not create and it alone cannot solve. And analysts recommending that IS buyers tear out Microsoft’s Internet Information Server and Exchange Server are both dead wrong and out-of-touch. Sage IS executives will ignore such advise for what it is – self-serving rabble-rousing.
It is time for IS buyers and software professionals to look beyond quick fixes and recognize that a new and dangerous era of software microbes – that could easily destroy market brands – is upon us.
Solving the problem will require thinking outside the traditional, security-point-solution box, to combat a DNA-like threat posed by software microbes. Bottom line, it’s time for the IT industry to stop blaming Microsoft, and get on with forging a solution.
Jim Hurley is vice president and managing director, information security, for Aberdeen Group in Boston. His e-mail address is [email protected].