| Business Integrity
|
The vendor of a product behaves in a responsive and responsible manner.
|
Microsoft Trustworthy Computing Framework
After extensive feedback from customers, Microsoft has developed a framework to focus efforts and measure progress toward the goals of Trustworthy Computing. The framework has four components:
By Design: Building security, privacy protection, reliability, and integrity into our products, services, and relationships.
By Default: Optimizing security, privacy, and reliability options and settings when we deliver products or services.
In Deployment: Providing guidance to help our customers make the best use of our products and services.
Communications: Listening to our customers and communicating clearly, openly, respectfully, and honestly.
These aims are more than slogans; individual employees and groups at Microsoft will be measured against them in their performance reviews.
Security
Security is a crucial area of importance not only for Microsoft but the software industry as a whole. Several news reports have appeared lately saying that no software, whether proprietary or Open Source, will ever be completely secure (source: Aberdeen Group Perspectives, “Open Source and Linux: 2002 Poster Children for Security Problems, November 2002 http://www.aberdeen.com/ab_abstracts/2002/11/11020005.htm ). As the world’s leading software firm, Microsoft often receives major media attention when security breaches occur.
Established in 1988, the CERT Coordination Center (CERT/CC) http://www.cert.org is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. A recent report from Aberdeen Group based on CERT advisories states that “contrary to popular wisdom, UNIX- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms" (source: Aberdeen Group Perspectives, “Open Source and Linux: 2002 Poster Children for Security Problems, November 2002 http://www.aberdeen.com/ab_abstracts/2002/11/11020005.htm ) The same report notes that CERT did not issue any advisories for Windows 2000 during the focus of the report, which was the first 10 months of 2002.
Even Sun has been plagued by a number of serious attacks. On September 16, 2003, iDefense, an Internet security service, announced that it had discovered a major security vulnerability in Sun's Solaris and Trusted Solaris operating systems. A weak set of administration tools — the sadmind(1M) Daemon, which is enabled by default — allows an attacker using a forged identity to take complete control of a Solaris or Trusted Solaris system over port 111. Sun has not offered a patch but has published a set of corrective configuration measures http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740&zone_32=category%3Asecurity . Sun says that the next version of Trusted Solaris will disable the vulnerable service by default. This flaw rates as High Risk according to the Gartner Internet Risk Vulnerability Ranking method — mainly because exploit code for the flaw has already appeared on the Internet.
Microsoft recognizes that it is judged differently because of the sheer number of its customers – and Microsoft is committed to not only minimizing security problems caused by technology, but educating customers about best practices as well. In the next several sections, this white paper will explore the major investments Microsoft is making to minimize security risks for customers and the industry.
|
