Gates: ‘You don’t need perfect code’  for good security

This week’s Microsoft Professional Developers Conference in Los Angeles marks the debuts of early versions of the company’s next-generation operating system, relational database, and developer tools. It also highlights Microsoft’s realization that security should not be an afterthought in the development

process. After his keynote, Chief Software Architect, Bill Gates, paused briefly to answer a couple of questions on the firm’s plans with How do you see the next generation of hardware and software? Do you think that the Internet will be transparent and fully integrated in the operating environment?

Bill Gates: Well, certainly in the computing environment, we’ve integrated more and more capabilities. You don’t have to think, “”Oh, I’m going to the Internet to get this,”” versus, “”I’m going to the local disk, I’m going to the local network.”” That was our philosophy with the browser from the very beginning. We’re going to take that to a whole new level in terms of going out to get information, and yet be able to do it in such a way that you know you’re getting secure information, that the right things can happen even as you go out to the internet.

For example, today you either end up with tons of different passwords, or you have to do things in a very insecure way. So this (Web services) is really the next level of Internet integration, and the thing that didn’t exist is the programming model to unify those things.

ITB: A lot of people in the industry still aren’t clear about what Web services are and what kind of difference they will make in the enterprise.

BG: Until we had this concept of Web services, software on the Internet couldn’t talk to other software on the Internet. The only thing that worked was you could move bits — that’s TCP/IP — or you could put up screens — that’s HTML — but software couldn’t talk to software. And so it’s pretty fundamental to think about Web services and how that’s built in. That’s what really takes the Internet to the next level where you’re going out and getting price quotes or the latest results on customer satisfaction, and having software interaction. All those information sources are brought into one rich visualization. That was the demo we did this morning.

With hardware, you’re going to have lots of variety, whether it’s on the wrist, in the pocket, the tablet, on the desk, on the wall, even in the car. It’ll be integrating your information needs across all of those different device types, so you get the information you care about when you want it, no matter what you’re doing during the day. But each of the hardware form factors is on its own path of rapid improvement.

ITB: Security starts with the developer. What do you think that developers can do to harden their apps and how is Microsoft helping with tools?

BG: You don’t need perfect code to avoid security problems. There are things we’re doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way — and when I say firewall I include scanning e-mail and scanning file transfer — you wouldn’t have had a problem. But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn’t have it.

The second is just the updating thing. Anybody who kept their software up to date didn’t run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we’ve had the fix out before the exploit. So next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the very dramatic things that we can do in the short term have to do with the firewalls and the updating infrastructure.

ITB: What about all the reports about vulnerabilities in Microsoft product recently?

BG: We’ve seen an order of magnitude less vulnerability in the code that’s been through the new tools, and we need about another order of magnitude. We’ve had 12 things in about an eight month period in Windows Server 2003 and with the equivalent level of attack in the previous generation we would have had over 100. We had 43, but adjusting for the level of intensity it’s a factor of 10 difference. If we can get another factor of 10, which would get you down to 1.2, plus the improvements in the patching and updating, that’s what people want. That should be doable, but that’s the piece that doesn’t happen overnight. It’s a matter of giving people the tools, it’s people not understanding the design of APIs where you get vulnerabilities. Certainly there are whole classes of vulnerabilities like buffer overruns that are very well understood at this point, and the scanning tools are very good and the compiler switches are very good.

Not everybody has changed their code and done the recompilations to get rid of those things. But fortunately the main system that’s under attack today is the latest operating system. The fact is, there are security vulnerabilities in peoples’ applications in many places. I mean, people act like some other systems don’t have vulnerabilities; actually all the forms of Unix as well as Linux have had more vulnerabilities per line of code. They don’t propagate as much because they’re not as dense as our system is, so the things that prevent the propagation are particularly important for our world.

ITB: How worried are you about the number of attacks on Microsoft software?

BG: Actually in a sense it’s very good to have this maturity, saying that a high volume operating system will be the one that people have tried to attack. Low volume software is always attackable. It’s only attacked when somebody wants to be malicious. High volume software is attacked when somebody wants just visibility and glory, and the fact is that the hardening is part of the process of having the level of reliability guarantee that we need to make.


Share on LinkedIn Share with Google+
More Articles