3 min read

Bill Gates on security

Microsoft's co-founder gives some advice on safeguarding your applicationsrn



The Microsoft Professional Dev-elopers Conference in Los Angeles marked the debuts of early versions of the company’s next-generation operating system, relational database, and developer tools.

It also highlighted Microsoft’s realization that security should not be an afterthought in the development

process. After his keynote chief software architect Bill Gates paused briefly to answer questions on the firm’s plans with Computer Dealer News.

CDN: How do you see the next generation of hardware and software? Do you think that the Internet will be transparent and fully integrated in the operating environment?

Bill Gates: Well, certainly in the computing environment, we’ve integrated more and more capabilities. You don’t have to think, ‘Oh, I’m going to the Internet to get this,’ versus, ‘I’m going to the local disk, I’m going to the local network.’ That was our philosophy with the browser from the very beginning. We’re going to take that to a whole new level in terms of going out to get information, and yet be able to do it in such a way that you know you’re getting secure information, that the right things can happen even as you go out to the Internet. For example, today you either end up with tons of different passwords, or you have to do things in a very insecure way. So this (Web services) is really the next level of Internet integration, and the thing that didn’t exist is the programming model to unify those things.

CDN: A lot of people in the industry still aren’t clear about what Web services are and what kind of difference they will make in the enterprise.

BG: Until we had this concept of Web services, software on the Web couldn’t talk to other software on the Web. And so it’s pretty fundamental to think about Web services and how that’s built in. That’s what really takes the Web to the next level where you’re going out and getting price quotes or the latest results on customer satisfaction, and having software interaction. All those information sources are brought into one rich visualization.

CDN: Security starts with the developer. What do you think that developers can do to harden their apps and how is Microsoft helping with tools?

BG: You don’t need perfect code to avoid security problems. There are things we’re doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way — and when I say firewall, I include scanning e-mail and scanning file transfer — you wouldn’t have had a problem. But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn’t have it. The second is just the updating thing. Anybody who kept their software up to date didn’t run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we’ve had the fix out before the exploit. So next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues.

CDN: What about all the reports about vulnerabilities in Microsoft product recently?

BG: We’ve seen an order of magnitude less vulnerability in the code that’s been through the new tools, and we need about another order of magnitude. We’ve had 12 things in about an eight month period in Windows Server 2003 and with the equivalent level of attack in the previous generation we would have had over 100. We had 43, but adjusting for the level of intensity it’s a factor of 10 difference. If we can get another factor of 10, which would get you down to 1.2, plus the improvements in the patching and updating, that’s what people want. That should be doable, but that’s the piece that doesn’t happen overnight.

CDN: How worried are you about the number of attacks on Microsoft software?

BG: Actually in a sense it’s very good to have this maturity, saying that a high volume operating system will be the one that people have tried to attack. Low volume software is always attackable. It’s only attacked when somebody wants to be malicious. High volume software is attacked when somebody wants just visibility and glory, and the fact is that the hardening is part of the process of having the level of reliability guarantee that we need to make.