Locking the Barn Door

Of bowling and certifications.

The most excellent Fabio and your sweet Auntie were bowling the other night. (No, it’s not all evenings at the opera for us.) The dear man was crowing about his prowess after reducing his third 7-10 split in a row to a spare. At least, he was crowing until I suggested it might prove more about his worth as a bowler to not leave 7-10 splits in the first place. After another pull at the longneck, I proceeded to throw a strike myself and contemplate the similarity between our evening at the lanes and Microsoft certifications.

Don’t see the connection? Allow me to explain. At this year’s TechEd, Micro-soft’s Lutz Ziob announced the launch of the MCSA: Security and MCSE: Security certifications (or more precisely, certification specializations). Candidates must pass some prescribed exams from the regular choices that demonstrate their ability to design and implement secure Windows 2000 networks.

Designing and implementing secure networks. There’s a 7-10 split if ever I heard! What’s the equivalent strike? Why, installing a network product that’s secure in the first place, of course. But to get that product, one has to turn from the sys admins to the developers.

Think back to early 2002 when Microsoft was trying to stem a flood of bad publicity by getting serious about security in its products. Under the rubric “Trustworthy Computing,” it invested a sum of money roughly equivalent to the cost of running a decent minor league baseball team in retraining developers to write secure code. Senior Vice President Craig Mundie churned out a white paper on Trustworthy Computing (http://www.microsoft.com/presspass/exec/ craig/10-02trustworthywp.asp) that was trumpeted far and wide. The very first means Mundie identifies for Trustworthy Computing is, “Secure by Design, Secure by Default, Secure in Deployment.” He goes on to write about the importance of secure development up front: “All code is thoroughly checked for common vulnerabilities using automatic or manual tools. Threat modeling is built into the software design process.”

So, why didn’t the certification folks get the message? If the Trustworthy Computing vision is fulfilled, then implementing a secure network should only be a matter of popping the right DVD into the server and letting it rip. The effort comes up front, in writing secure code. And—just in case I haven’t already belabored the point sufficiently—that means that Microsoft should have come out with an MCSD: Security specialization. Without secure software in the first place, the sys admins are in the unenviable position of locking all the doors to the barn without even knowing if there’s a horse inside.

You would think, after all, that Microsoft learned a thing or two about secure development in tearing apart those millions of lines of source code. And we know that they have people on staff whose job is to teach such lessons to the rest of us. So, why haven’t we seen official curriculum on secure development? Why no MCSD security exams? Why not try to cover all of the security bases if you’re going to announce security specializations?

Only a cynic would mention that there were already existing security exams for the MCSE track, so that Microsoft didn’t have to invest any exam-writing dollars to back up the TechEd announcement.

Then again, perhaps there are good reasons why Microsoft chose not to emphasize secure development in the new certifications. Windows 2003, the poster child for “secure by design,” launched April 24. The first security patch for Windows 2003 came out June 4. Six weeks without a patch isn’t all that impressive a result for the hundreds of millions of dollars spent on hardening the Windows source code.

Whoops! Excuse me... Fabio just plopped my color-coordinated hot-pink bowling ball into my lap, and it’s time for me to show him what a sys admin can do with it.

About the Author

Em C. Pea, MCP, is a technology consultant, writer and now budding nanotechnologist who you can expect to turn up somewhere writing about technology once again.

comments powered by Disqus

Reader Comments:

Fri, Mar 18, 2011 ngldefkz I6gru6 rqjotxgncbuw, [url=http://dvjjcvyhswih.com/]dvjjcvyhswih[/url], [link=http://dcqzopgqozzf.com/]dcqzopgqozzf[/link], http://rrwkrvzkxgno.com/

I6gru6 http://rqjotxgncbuw.com/ DOT , [url=http://dvjjcvyhswih.com/]dvjjcvyhswih[/url], [link=http://dcqzopgqozzf.com/]dcqzopgqozzf[/link], http://rrwkrvzkxgno.com/

Mon, Oct 20, 2003 Eric London

Designing secure code is a laudable chore, however it will never replace the necessity of designing commen sense security practices into your network. An OS that does not leave itself wide open by default is a start, but without a rational, and knowledgeable human being configuring and designing the network, the code is useless by itself. Microsoft should not waste time designing a supplementary security exam, instead security should be integrated into the certification, as much as it is integrated into the software. My 2 p.

Fri, Oct 17, 2003 JimV Alexandria

Surely a security exam for developers would be a welcome sign that MS is serious about security. Another would be an MCP-Security, equivalent to the old MSP-Internet or to CISCO's CCSP, which focuses exclusively on security, or the SANS GCWN, which focuses exclusively on Windows. This could create a crew of MS security experts. It could also encourage those who already have an MCSE to go back and study up on security issues.

It does seem that merely agglomerating existing exams, making them options for existing titles, and adding a word to the title is an easy to fake seriousness about security. I have little doubt that many at MS are serious about security., but it is not obvious among those who develop the certifications.

Mon, Oct 13, 2003 Rik QLD

You give enough monkeys a numeric padlock, and one will open it first go. Doesn't mean we shouldn't use security devices though. Perhaps MS should have added more monkey testing to the mix?

Wed, Oct 8, 2003 Brett Anonymous

Point taken esp. the cynic's comment.

Mon, Sep 29, 2003 Anonymous Anonymous

Useless and banal.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.