Building Security into Windows Vista and the Microsoft Culture
By Michael Howard
Principal Security Program Manager, Microsoft Corporation
See other Viewpoint articles.
Roughly two months ago, Jeff Jones published his Windows Vista One Year Vulnerability Report. The following graph from that report shows a side-by-side comparison of vulnerabilities in desktop operating systems:
I am always bemused when Jeff Jones performs in-depth security vulnerability analysis and reports his findings, not because of the content of his findings, but because of the incredible armchair commentary that follows.
Jeff and I have seen and heard it all:
"This is FUD."
"Yeah, but it's not an apples to apples comparison."
"How can you believe this guy? He works for Microsoft!"
"What would Microsoft know about security?"
"For his next trick ..."
"That chart really hits home the fact that statistics can be used to prove any side of any argument."
"Of course he says Windows is the best; that's what he's paid to do."
"Counting vulnerabilities is a natural way to measure security. If you're a retard."
"The other big reason Linux is more secure is many black hats LOVE open source principles."
"Can someone please slap Microsoft in the teeth?"
"I can't actually remember a time when my Mac needed a patch to fix a security hole."
You get the picture.
So let's ignore raw stats for a moment. Let's not compare RedHat to Mac OSX to Ubuntu to Windows Vista, because let's face it, no one can agree on any measurement of security without getting knotted up. So let's just ignore the comparison stuff. Measuring security is a real challenge, and although we may debate the merits of vulnerability counts, right now it's the only concrete metric we have.
When Bill Gates released his Trustworthy Computing Memo in 2002, many people thought it was just a marketing stunt. It was not. His edicts are always taken very seriously inside Microsoft. In fact, I will go one step further; the only way you make big changes in a large software company is when the boss says you have to do so. So why send the memo to all Microsoft employees? It was simple. He (and the entire senior management team, for that matter) recognized that Microsoft faced a problem that needed solving: the company needed to shore up the security of its products.
So Bill Gates sent his memo to get the ball rolling.
Now let's go back to Jeff's recent analysis. Cover up the Mac OS X and Linux stats for a moment so you can only see the Windows XP SP2 and Windows Vista bars. Windows Vista has had fewer security vulnerabilities than Windows XP SP2. Conventional wisdom (which is often wrong, especially when it becomes urban legend) tends to suggest that the more lines of code you have, the more bugs you have. That might be true -- and Windows Vista is certainly larger than Windows XP SP2 -- yet right now, we are on track for an approximately 50 percent reduction in vulnerabilities compared with Windows XP SP2. Think about that figure for a moment: about a 50 percent reduction (and that does not account for the reduction in vulnerability severity) despite the increase in code size.
So if Windows Vista has more code than Windows XP SP2, why are we seeing a reduction in vulnerabilities? Simple: the Security Development Lifecycle (SDL)! Microsoft decided to change its development practices to enforce greater security discipline. The only way you reduce security vulnerabilities is by focusing on improving code security, design security, reducing attack surface, education, tracking evolving threats, mandatory use of tools, banning known bad functionality, better compilers, better linkers, better libraries, etc. And that is what the SDL is all about and what our team is laser-focused on.
The reason you're seeing a reduction in vulnerabilities across major Microsoft products is simple:
Microsoft recognized that it needed to improve security.
Bill Gates said so (as did the rest of senior management).
Our group swung into action and helped the rest of the company come up to speed on security issues.
Microsoft development processes changed to adopt the SDL.
You improve security by focusing on security. Not by wishing on a star. Not by believing age-old myths about "given enough eyeballs ... blah blah blah." If the "eyeballs" mantra were true, we'd have very few open source security bugs. But there are plenty of open source security bugs found after products ship. Hmmm. This would seem to raise an interesting question on the validity of the "enough eyeballs" belief given these hard facts.
Now let's go back to Jeff's chart for a moment. Cover the Windows columns and look at the other columns. However you want to skew or spin it, that's a lot of security vulnerabilities that needed fixing once a product had shipped. Admit it. Come on, admit it; that's a lot of bugs. I don't care how big a Linux distribution is, or how many IM clients Ubuntu ships with, or the merits of UAC vs. su. That's a lot of security vulnerabilities! Now ask yourself this question: How many people involved in the development of these other products have you heard say, "Wow, we have a lot of security bugs. We really should do something systematic to fix this problem." I'll be very happy to be proved wrong, but all I hear are crickets. I see no one else in the industry standing up and saying, "Let's fix this."
I just hear emotion, excuses, and dogma.
At Microsoft, Bill Gates's memo was a "we need to fix this" memo, and we are now seeing results. Not perfection. There will be no perfection, because no software is 100 percent secure. But progress is being made across all Microsoft products, not just Windows, because of the SDL.
Let me close with a story. A few years ago, I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft, they were off to visit another operating system vendor. I won't name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance that security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft' in the reply." Two weeks later, the guy phoned me and said his company would buy products from Microsoft and nothing from the other company. I asked him why. He said because all they could do was make up excuses (see the list at the start of this article for examples) rather than admit to having numerous critical security vulnerabilities and no process to reduce their ingress.
Okay, one more comment! I would love to see others in the industry stand up and admit there is a problem that needs solving and start doing something about it. I really, really would, because we need to secure the entire computing ecosystem. Comparing numbers is interesting, but what really matters is this: is progress being made? At Microsoft the answer is "yes," but only because Bill Gates realized there was a problem to be solved, and that is what led to the birth of the SDL.