This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without letting the user know, even if Chrome is not running and there is no way to disable this. Here are some of similar stories:

• Report: Using silent updates boosts browser security
• Google Chrome... updates without asking.
• Google is Wise, Chrome Updates Silently

Give me a break here.

I am really tired of hearing those things. When Chrome shipped, three things actually hit my inbox:

• Chrome was shipped (in a Beta) with a few pretty significant vulnerabilities in, which were known for quite a while (like the carpet bombing flaw). The excuse by Google was “it is just a beta”. Tell me please, how you would comment if we would have done the same with Windows 7.
• I got quite some mails by angry customers and journalists telling me that Chrome found a way around User Account Control as Chrome installs without UAC kicking in. Journalists called as they claimed to have found “a severe vulnerability”, customers called as they were angry with us as Chrome simply popped up all over the place in their network even though their user were non-admin. Well, well, Chrome simply installs an executable in the user context. Directories which the user has write permissions. So, for sure Chrome can install – really bad practice in my opinion.
• There was a pretty strange paragraph in the EULA which was then removed later.

And now the silent patching. A few years back, when we designed Windows XP SP2 we talked about switching Automatic Updates on by default. This caused a lot of people screaming and telling us that it is unacceptable to switch AU on by default (which we actually do in the meantime). We recently updated the Windows Update client – and it caused a lot of you to scream and tell us that it is unacceptable for us to silently update a component on Windows. And we heard you loud and clear. And now I hear that Chrome is best practice because they silently fix security vulns? And you cannot even switch this off? So, what is the policy the industry shall follow?

I agree that the most secure way for consumers would be to automatically fix security vulns. This is actually what I tell my parents: Simply install security updates. This is for consumers and there is an option. Not having an option is unacceptable – at least for me. Additionally, again for the consumer, having Anti-Malware being part of the Operating System out of the box and enable by default would be desirable. However, this is not acceptable today for competition reasons.

So, what I do not get is why people do not look at these problems holistically and more from a policy perspective rather than from a company by company perspective. Silently installing components without even giving me the option to choose is not acceptable today for me – but I want to have the option to do it if I want.

And finally: I would question the enterprise-readiness of such software. At least, I would never deploy it in an enterprise environment.

Roger

Direct Access is one of the coolest features I used since a quite while. I am part of our internal pilot since months and it is absolutely great: You connect to the Internet and you are immediately connected to the corporate network. No VPN, nothing.

If you want to know how to set this up, there is a guide for this: Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Roger

You might remember it: January 15th, 2002 Bill Gates wrote the famous memo on Trustworthy Computing to all the employees at Microsoft. This was probably one of the biggest initiatives at Microsoft and radically changed the way we develop software (and much, much more). I remember when I was the first time on stage talking about Trustworthy Computing in 2002. I said that this is an industry initiative and not something for Microsoft only. A lot of people just smiled at me and told me that this was just another try to get out of our responsibility and blame the industry for our problems. However, we came a long way since then.

If you look at Bill’s memo back in 2002, there are a few remarkable statements in there, when it comes to the industry collaboration piece. He said that “We must lead the industry to a whole new level of Trustworthiness in computing.” and “It’s about smart software, services and industry-wide cooperation.”

So, we started to introduce a processes we called the Security Development Lifecycle at Microsoft. The process on a high level looks pretty familiar (I hope at least):

The effect of this process was pretty impressive. Let’s look at a few key figures from our latest Security Intelligence Report. If we investigate the Security Bulletins we had to release in H1 2008 and compare the impact on Windows Vista and Windows XP, it looks like that:

And our overall share of the industry-wide vulnerabilities dropped constantly:

It definitely had an effect on us – but we always wanted to share what we are doing within Microsoft to help you as developer to profit from what learned.  So, we made SDL available since quite a while as books, trainings etc. Today we go an addition step to help to reduce the other 97% of the industry-wide vulnerabilities as well.

Today we announce the availability of a template for Visual Studio, where you can integrate SDL in Visual Studio Team System – and I tell you, this is really, really cool. And as always with such initiatives it is for free!

As a teaser, here are a few screenshots:

This is the guidance page on SDL – kind of your starting point 

To run your project, you have a dashboard view

and last but definitely not least you have an overview over the SDL requirements

and there is much, much more!

Now, I leave the word to the real pros. Read the blog post by our SDL team: Making Secure Code Easier

I wish you all a lot of success implementing SDL and let’s reduce the industry-wide vulnerabilities

And – by the way – did I tell you already that we make it available for FREE ?

Roger

A lot of people and companies are talking about “the Cloud” today. I guess that there are not too many companies that share the same track record of running online services as Microsoft. 1994 we launched MSN and since then we are in this business.

Microsoft Global Foundation Services (the group responsible for this infrastructure) just published a document called Securing Microsoft’s Cloud Infrastructure which is definitely worth reading. In my opinion a few items will be key when talking about a trustworthy cloud, one of them being transparency. Transparency how your data is handled, how software is written and operated, how incidents are dealt with, etc.  This paper definitely helps on our side to drive in this direction although we did already a lot in this respect like making the Security Development Lifecycle available and communicating transparently about security challenges etc.

To show the importance of security for our online services as well, I would like to quote the paper:

The core driver to creating an effective security program is having a culture that is aware of and highly values security.  Microsoft recognizes that such a culture must be mandated and supported by company leaders. The Microsoft leadership team has long been committed to making the proper investments and incentives to drive secure behavior. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. For more information on Trustworthy Computing, see the Microsoft Trustworthy Computing page.

Microsoft understands that success in the rapidly changing business of online services is dependent upon the security and privacy of customers’ data and the availability and the resiliency of the services Microsoft offers. Microsoft diligently designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and compliance with laws and with internal security and privacy policies. As a result, Microsoft customers benefit from more focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

Here are the links to the different papers we published today:

• Securing Microsoft’s Cloud Infrastructure
• Security in Microsoft Business Productivity Online Suite
• Securing Microsoft’s Cloud Infrastructure

Roger

This is a very tough legislation: France just agreed on a new Internet Piracy Bill. If you violate piracy laws three times, you will be banned from the Internet up to an year: http://www.webpronews.com/topnews/2009/05/12/france-approves-internet-piracy-bill

Interesting approach

Roger