Content

Leading lady takes the SP2 spotlight

The server in the Jimi Hendrix room – a multimedia lounge in Microsoft's customer experience center – has just crashed for the third time. While the PR and the technician attempt to hide their red faces with explanations of "Oh, it's just been upgraded," one might wonder what it has been upgraded to. Could it be Service Pack 2 for XP?

This is not a good start. This meeting at Microsoft's headquarters in Redmond, WA has been set to discuss the technology behemoth's new approach to secure and reliable software, and specifically the release of SP2.

The woman with overall charge of SP2 is Rebecca Norlander, a former developer. While Microsoft's IT pros struggle to get the server up and running, she is having her photograph taken, her body language impressively cool as the photographer asks her to move and Microsoft's make-up artist adjusts her hair.

After the photo-shoot, she sits down for the interview, accompanied by two public relations officials. She seems a determined, but very relaxed woman. A triathlon competitor, Norlander has recently cycled 205 miles in a day between Seattle and Portland.

"I do three things," she explains. "I work, I train and I sleep. So there hasn't been a ton of socializing lately, unless people want to train with me. The bike ride wasn't hard. I thought that I would be dragging myself, but I finished, did a little jogging and I wasn't even sore.

"Everything I do, I do it intensely," she continues. "I'm either going to do it well, or not do it at all."

Last September, Microsoft moved Norlander from working on Longhorn – the next version of Windows, which is not scheduled to hit the market before 2006 – to Project Springboard, which later became SP2. It was on this project that she helped to create a rather different looking version of Windows XP.

"I had given a lot of thought to how we needed to think differently about security and needed to be ahead of the game, instead of fixing one-off bugs and looking in one specific area," she says.

"They needed someone who was able to rally engineers and think differently about how to secure Windows. I worked with an architect and we talked about how we could embed shield-like technology over the top of the product."

Norlander has fought a long battle at Microsoft to ensure that developers change their approach to security. She was determined that the firm needed to stop acting reactively and start building better software from the ground up.

"The biggest change for me is that it's made me more passionate about getting engineers to think differently about problems," she says.

"As an engineer, you want to make everything perfect – fix all the bugs and get ahead of the game that way. Really thinking about that has motivated me to think differently about security. It means that there's a larger game to play, and I think that's interesting. That lets you think about lots of creative things, so it's charged me up. Admittedly, I'm ready for a vacation. When I finish, that will be the first thing I do. But then, after that, I'm excited about what this thinking will do – both for the company and the computing industry at large."

But the SP2 project has not come without setbacks. Although Microsoft denies any delay in the product's development, insiders indicate that the firm has postponed the release date three times, and that the actual release date was kept fluid right up to the actual launch date of August 6.

"We wanted to make fairly aggressive changes in the name of security, but keep the product as something that can be deployed on a regular basis," recalls Norlander.

"From a security standpoint, you straddle the line between customer satisfaction and the engineers who want to lock everything down. A tragedy would have been to put all this energy in only to not roll it out for some reason. It's always a fight, because if I held on forever, then no one would ever get their hands on it."

Microsoft has struggled with security this year. Media reports on multiple flaws in Internet Explorer and Windows have given the firm food for thought, and the security body CERT even went so far to as to recommend that users switch from IE to other, more secure browsers. Part of Norlander's job has been to restore credibility to Microsoft in the security industry. Even so, she is confident that hackers are eager to break the product.

"We expect that hackers will try to find new ways to poke holes in the product," she says.

"For SP2, we made a lot of changes to the browser. A lot of the functionality we people have relied on, hackers were taking advantage of. Windows is one of the things they like to hack. We've made it more difficult for them by changing the settings and providing the 'shield-like technology over the top. So will it be hacked? Eventually. Will it be more challenging? Absolutely."

She knows hackers are targeting SP2, but she doesn't know when they will strike. "I'm a pessimist," she says. "I don't know when the first exploit will hit SP2. I'd like to say longer than average, but I don't know. I do believe strongly in the changes we've made, but the truth is, they're smart. Can I give you a day, or a week, or a month? I have no idea."

Norlander's mission to drag Microsoft kicking and screaming into the security arena has been no easy feat. One of the biggest concerns from the voice of industry has been on compatibility. While the all-singing SP2 supposedly enhances security with its switched-on firewall, administrators have worried about how existing applications will run. Norlander is unclear how much damage this could do.

"I know a lot of customers have been concerned about application compatibility," she says. "That's why we got feedback from customers about it. It shouldn't stop applications, but in a managed environment, you'll need to do some testing. If you roll it out without testing, it might stop some applications."

She hopes to give Microsoft customers better value for money by reducing the time needed for patching. But she is unsure how long testing will take and how much it will cost.

"In a corporate space, I don't know how long it will take to make it work," she says, "We've done an awful lot of work to provide guidance and training, where 200 of our top enterprise customers came in and we gave two days' worth of workshops.

"No matter what it costs, it will help to mitigate the cost of having to patch at the last minute and having to install additional security technologies further down the road. The goal over time is to create a system that saves money, rather than thinking about the upfront costs."

Security vendors will also be affected by SP2, she says. So firewalls can talk to Microsoft's Security Center, vendors will have to upgrade their products, as will the users of those products.

"We've tested a bunch with various firewall products," she says. "In terms of whether that communicates, there are APIs where firewall vendors can make changes so they fit into Security Center. Those products will have to be updated. We tried to iron out most of the difficulties so corporations can roll it out with as little difficulty as possible."

With so many compatibility problems, some IT security professionals fear it could do more harm than good. But Norlander rejects the charge: "I don't believe it will be as disastrous as people are thinking now. I think home and corporate users want Microsoft to make software more secure. That's one of the reasons we worked on getting feedback. But there will be differences in the user experience – absolutely."

But for IT administrators who could be faced with hours of tweaking during their weekends to make applications run, wouldn't it just be easier to turn the firewall off?

"I'm not sure that a lot of people will switch it off," says Norlander. "I think home users will put Windows on their system and leave the default configuration. They will end up having a firewall and that's great. Inside corporate, that's a mixed bag.

"We're using it within Microsoft," she says. "Our IT people did a bunch of work to configure it to see if it worked with our internal applications. We leave it on because of the different profiles, we ratchet up the settings for when your machine leaves the domain and goes to other networks."

Norlander's work is in the spotlight. Microsoft's hopes are in her hands and she has a hard battle ahead of her trying to convince the industry that the words Microsoft and security can go together.

But she is a focused woman. Her demeanor oozes confidence as she responds to the most aggressive challenges with a steady smile and practical answers. Perhaps she really can get Microsoft to think differently.

"It was important to get this right," she says. "I'm happy to teach people that instead of fixing bugs, they should start thinking about all the resources available, and to turn the picture upside down. I believe it's a good start, and a great change in the way we think about our products."

With the meeting over, a quick, last-minute visit to the Jimi Hendrix room to sneak a go on the Xbox reveals that the offending server appears to have been fixed.

Maybe it is now running SP2.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.