/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsSAN FRANCISCO: Microsoft Corp. said that Windows 2000 has received the highest level of security evaluation of any commercial operating system, an important benchmark for government and other contracts.
Independent evaluators looked at the development methodology, documentation, architecture and other operational and security aspects of the software in a broad set of real-world scenarios, Craig Mundie,
Chief Technology Officer and Senior Vice President for advanced strategies and policy at Microsoft, told Reuters. It took three years and "many millions of dollars," he said. "This is an important milestone for the company." Plagued by security vulnerabilities in its software that left customers open to attack and prompted criticism from experts, Microsoft embarked in January on a company-wide program, dubbed "Trustworthy Computing," to improve the security of its products.
Microsoft has gotten mixed reviews for its efforts, and some experts said that while the new security rating may help the software giant get contracts with governments, banks and others who have strict requirements for bids, it did not necessarily mean the software has fewer flaws in it.
Not testing for flaws
"This type of testing isn't testing for flaws," said John Pescatore, an analyst at Gartner Inc. "It's more testing whether we can believe the claims the operating system is making for the security functions it provides."
"This is like bumper crash testing," he added. "Your bumper will withstand an impact of a certain number of miles per hour, but it doesn't tell you whether your tires are going to go flat. It's certainly not a warranty." Alan Paller, research director at the System Administration, Networking and Security Institute, agreed.
"It doesn't mean anything for the users. Right now, it's a relatively pure marketing program for the vendors," Paller said. "They still deliver the software misconfigured and with flaws."
However, Paller praised Microsoft for its efforts to improve the security of its software by giving its programmers special training and testing millions of lines of code in Windows. "Microsoft may not have solved all the problems, but I think we'll find that the other vendors are way behind them," he said.
Although Windows 2000 was released three years ago, it is still the dominant operating system used on desktop computers, Pescatore said. Microsoft is submitting Windows XP Professional and Windows .NET Server 2003 for evaluation and is optimistic certification will come more quickly.
"We took work done for Windows 2000 certification and carried it forward because it has a common code base and much of the work that was done doesn't have to be done again," Mundie said.