SAN FRANCISCO Roughly two months after the initial launch of Windows Vista, Microsoft software development leader Ben Fathi said his company is pleased with the security, performance and feedback it has received regarding its newest operating system.
Seated in a quiet briefing room removed from the pressing mass of humanity coursing through ongoing RSA Conference 2007 being held here Feb. 5-10, Fathi, corporate vice president of development of Microsoft’s Windows Core Operating System Division, appears at ease, and even happy discussing the topic of Vista security.
The executive’s tone is markedly different than only six months ago, when he was fielding questions about potential antitrust action on the part of Microsoft’s largest security partners over their ability to integrate products with the new OS.
Where Microsoft was aggressively playing defense at that time, impressing its willingness to cooperate with partners and assuage their concerns over the implications of Vista’s onboard security features, at the annual security industry confab Fathi seemed relaxed and more confident than ever that his company’s work to better protect its flagship products is being viewed thus far as a success.
In framing Microsoft’s greatest accomplishments in improving Windows security with the introduction of its newest productswhich range from building and using the company’s new Software Development Lifecycle code analysis process, to adding anti-malware and encryption features in VistaFathi said the most gratifying milestone was getting the product itself out the door, along with the new iteration of its Office productivity suite.
“Vista is out, Office 2007 is out; those are two huge steps in achieving our security strategy,” Fathi said. “We also had a number of additional releases coming down the pipe, and they’re all either released or will be out in 2007, so I think we’ve made some great steps forward in terms of overall security.”
Among the additional products referenced by Fathi were those introduced by Microsoft at the show on Feb. 6, including a beta of its Forefront Server Security Management Console and its ILM (Identity Lifecycle Manager) 2007 package, to be launched in May 2007.
On the topic of partners, the executive said that the air has cleared significantly with the battle of words revolving around Microsoft’s inclusion of its KPP (Kernel Patch Protection) technology in the 64-bit version of Vista having been largely settled.
Security applications market leaders Symantec and McAfee appear to be satisfied with the new fleet of APIs that Redmond, Wash.-based Microsoft has provided to aid integration with Vista’s kernel, and the software maker feels it was never forced to back down from its position of refusing to abandon PatchGuard, the most controversial element of KPP.
“It’s good that we’re past that and moving on,” Fathi said. “The conversations have gotten significantly better since it became clear that we would not turn KPP off; everyone sat down at the table and discussed the best way to find usable APIs.”
While a small number of vulnerabilities have been isolated in Vista by security researchers, Fathi said he can live with that performance, compared to the torrents of flaws found in previous iterations of Windows and Office. Software is complex and will never be completely vulnerability-free, he said, and while Microsoft feels it has made significant progress with its ability to drive potential weak points out of its products using SDL, work to secure the software platform further will always remain an ongoing task.
Next Page: Security doubts remain.
Microsoft’s security doubters remain, spreading rumors that Vista’s BitLocker encryption keys are already being cracked, and the news media continues to produce stories criticizing the frequency with which the operating system’s UAC (User Account Control) feature presents users with distracting pop-ups. But Fathi said those criticisms aren’t as much a source of frustration as they are inspiration for his future development efforts.
“Headlines are what reporters are after, but we feel that the real message is getting out there that security for end users has been greatly improved,” Fathi said. “The great security we have today comes at some cost to the user, such as with the frequency of [the UAC] pop-ups, but we will work with our partners to improve integration for applications security so the system doesn’t need to ask users for approval so often.”
Those types of considerations, and planning the security underpinnings of a future generation of Windows productsdelivery date to be determinedhave taken over Fathi’s day-to-day work, with the developer relishing his ability to spend most of his time with his true passion, building software, rather than sparring with Microsoft’s partners and fielding a nearly constant stream of questions from a media that often appears bent on discrediting his work.
“I’m back doing what I’ve always done, designing software versus dealing with problems, and not just being focused on security issues,” Fathi said. “The next six months are all about planning the next version of Windows and spending time fixing things we didn’t fix in Vista.”
With a sly grin the developer suggests that perhaps as soon as five years from now customers of Microsoft’s products won’t need to worry about OS security at all. It’s clear that Fathi isn’t serious, given his earlier concession that finding new ways to improve and defend Microsoft’s products will always be a part of his job, but it’s not hard to detect that the frustration the executive felt when handling the waves of controversy surrounding the release of Vista, before the product even arrived, has been replaced a much sweeter emotion.
The glimmer in Fathi’s eye as he postulates about his more security-free work of today and the future gives away the feeling he harbors regarding what Microsoft has accomplished with Vista. While the word never crosses his lips, it’s easy to see what he’s driving at satisfaction.
At least until the next headline.