With all of the attacks on Microsoft software the past few months, it is increasingly hard to chalk it up to the fact that Microsoft products are the most widely used in the industry, and are therefore the prime target for black hatters. Are Microsoft"s coding practices and product-development teams just not as attuned to security as they should be?
If they have not been in the past, they will be if Microsoft"s new security road map is successful. Besides changing new software that already is written -- to batten down the hatches when it comes to default features -- Microsoft also is trying to plug holes in legacy products. But to do that requires the cooperation of its customers, and patching can be a tough sell. Is Microsoft doing enough to secure its software? Industry experts are not so sure.
In the short term, Microsoft is resigned to the fact that all software is going to have security flaws. But the company is taking steps to try to stymie attackers. It has changed its organizational structure to create a security business unit and has retrained developers in security best practices.
The Security Business Unit is responsible for training developers to write secure code, creating and enforcing security goals for Windows product groups, and developing security best practices. In 2002, the software giant stopped development for two and a half months to educate more than 9,000 of its employees in writing more secure code. In the last 18 months, Microsoft retrained 18,000 developers, instituted an array of new, more secure development practices, and provided its developers with enhanced tools.