MINNEAPOLIS — July 10, 2005 — Today at the Microsoft® Worldwide Partner Conference 2005, Mike Nash, corporate vice president of the Security Business and Technology Unit at Microsoft Corp., updated Microsoft’s partners on the progress the company has made on security since the October 2003 Partner Conference. Nash discussed Microsoft’s approach to security and detailed progress made in the areas of technology investments, prescriptive guidance and industry leadership. Nash also encouraged customers and partners to adopt Microsoft’s newest technologies and security offerings.
“It has been almost two years since Steve Ballmer addressed this audience making a companywide commitment that Microsoft would make security a top priority, and we have been focused on delivering on that commitment,” said Nash. “We’ve taken the feedback we’ve received from customers and partners and turned that into action, making notable strides developing more secure products, and delivering essential guidance and tools to help customers be more secure.”
Based on progress Microsoft has made on security since October 2003, partners and customers are significantly more enabled and better positioned today to deploy more secure products with the tools and information needed to do it effectively.
While Nash highlighted progress, he also noted that customers are most secure on the newest versions of Microsoft products and service packs and by utilizing best practices and up-to-date techniques for securing systems and networks.
Making the Case for the Newest Platforms
Nash illustrated the increased resiliency of newer platforms such as Windows® XP Service Pack (SP) 2 with advanced security technologies. He shared data showing measurable improvements in the security of Windows XP SP2 over older versions of the operating system. Windows XP SP2 has one-half the number of critical vulnerabilities compared with Windows XP, Windows XP SP1 and Windows 2000 Professional in the first nine months since Windows XP SP2’s release in August 2004. In addition, customers using Window XP SP2 are 13 to 15 times less likely to be infected by some of the most prevalent malicious software relative to customers using earlier versions of Windows XP, according to internal Microsoft analysis.
To date, Microsoft has distributed more than 218 million copies of the service pack. Microsoft has also distributed 2 million copies of Windows Server™ 2003 Service Pack 1 (SP1), which offers similar security improvements, since its release in March 2005.
Progress in Developing More Secure Code and Making More Secure Software
Nash highlighted Microsoft’s focus on improving the quality of software since Chief Executive Officer Ballmer announced new security initiatives in 2003. Microsoft has implemented a rigorous process known as the Security Development Lifecycle (SDL) to train employees on the development of more secure code, as well as test and review products for security quality.
So far, more than 15,000 Microsoft developers, program managers and testers have received specific and regularly updated training on the development of more secure code. The SDL has resulted in the development of products with significantly reduced rates of externally discovered vulnerabilities compared with software that has not been subject to the SDL process.
Nash also compared the security of Microsoft products with that of open source products, highlighting the clear value of SDL by showing that open source server and database products have had a significantly greater number and severity of vulnerabilities compared with Windows Server 2003 and SQL Server™ 2000 (according to the “Role Comparison Security Report: Database Server Role,” by Security Innovation Inc. and commissioned by Microsoft; published June 6, 2005: http://www.microsoft.com/getthefacts).
“Customers should evaluate the disciplined development process that comes with Microsoft products against open source, which has no similar process,” said Nash. “That, coupled with our clearly defined commitment to managing security issues, is a compelling differentiator for Microsoft against other platforms on security.”
Progress in Providing New Security Offerings
In addition to making the case for adopting Microsoft’s newest platforms, Nash gave an update on new technologies Microsoft is offering to provide added protection against malicious attacks and unwanted software:
The Windows AntiSpyware beta, which improves Internet browsing safety by guarding against more than 50 ways Web sites and programs can place spyware on a PC, has been downloaded more than 21 million times and has removed tens of millions of spyware packages since its release six months ago.
The Windows Malicious Software Removal Tool (MSRT) checks for and removes the most prevalent malicious software families from computers and has had 831 million executions since it was introduced in January.
Windows OneCare™, which helps protect and maintain computers and provides an integrated service that includes anti-virus, firewall, PC maintenance, and data backup and restore functionality, will be released in a series of betas this year.
Microsoft’s Sybari Antigen antivirus products help deliver reliable server-level protection and improved virus detection rates using a multiple scan engine approach, offering customers choice and the most up-to-date protection possible.
Progress in Providing New Tools and Guidance
Microsoft also has invested heavily in update management technologies to address vulnerabilities when they do occur. With Microsoft Update, Windows Server Update Services and Microsoft Baseline Security Analyzer 2.0, released last week, and the coming availability of the Systems Management Server (SMS) Inventory Tool for Microsoft updates, Microsoft is providing an integrated, reliable and consistent set of technologies to help customers better manage software updating.
“With the new offerings and standardizing on the current operating systems and stack, we’re able to remotely deploy patches,” said Manuel Montejano, chief information officer of Cole Taylor Bank. “It not only keeps our cost down, but it keeps our time to market very, very short.” (More information about Cole Taylor Bank’s story can be found at http://www.microsoft.com/resources/casestudies/casestudy.asp?casestudyid=16763.)
Based on customer feedback, Microsoft has also developed prescriptive guidance to help customers with security practices and keep them up to date. Microsoft’s security subject matter experts worldwide are engaged in new processes to ensure higher-quality security content is published. Currently there are more than 600 security resources online for enterprise customers and more than 90 for consumer customers. More information about this can be found at http://www.microsoft.com/security.
Progress in Industry and Law Enforcement Collaboration
Nash said that the security challenge can only be solved collectively by industry leaders — including IT vendors, law enforcement, policy makers, consortia and research communities — and that collaboration is proving to be effective.
On Friday, Microsoft announced that it will award $250,000 to two individuals who helped identify the creator of the notorious Sasser worm in 2004. The author of the worm, arrested in May 2004, was found guilty Friday by a court in Verden, Germany. The reward comes from Microsoft’s anti-virus reward program, an initiative established by the company in November 2003 to provide an incentive to those who can help identify those responsible for unleashing malicious viruses and worms on the Internet.
Microsoft also is collaborating with other industry leaders on the issue of spyware. Microsoft is a founding member of the Anti-Spyware Coalition, which includes some of the country’s largest technology companies and public interest groups, led by the Center for Democracy and Technology. In response to spyware, Microsoft is also working with the Federal Trade Commission and other public agencies that are using current law to find and stop purveyors of fraudulent and destructive software.
Microsoft Security Partner Resources to Be Expanded
Finally, Nash outlined partner opportunities and called on partners to achieve the Microsoft Partner Program (MSPP) Security Solutions Competency. He unveiled significant enhancements to the competency, which beginning in the fall will support a broader set of security services partners.
Specifically, in response to feedback from its partners, Microsoft will add two new specializations to identify the services business models of security partners: Security Management and Infrastructure Security. The Security Management specialization is designed for partners that provide services to develop IT security strategies, policies and procedures, risk assessment and overall IT security management services. The Infrastructure Security specialization is for partners focused on securing the Windows platforms and network infrastructure, including server, client, mobility and embedded operating system and perimeter products.
The Security Solutions Competency will have additional benefits to help partners strengthen their market position and extend their market reach. All partners within the competency will benefit from additional Microsoft internal readiness materials, enhanced security response alerts and support, dedicated security newsgroups, and targeted product marketing campaigns. These benefits will help them reduce operating costs, increase efficiencies and profitability, and leverage the MSPP to maximize their business potential.