Feds get to peek at Windows code

For the first time, agencies will have access to the source code for Microsoft Corp. software as they work to shore up security features.

Microsoft announced Jan. 14 a global effort to provide national governments with controlled access to source code and other technical information on its Windows platforms.

The Government Security Program is a no-fee initiative that lets program participants review Microsoft Windows source using a code review tool — subject to certain license restrictions.

Participants also can visit the company's development facilities in Redmond, Wash., to review various aspects of Windows source code development, testing and deployment processes, according to Microsoft officials. They will also be able to interact with and give feedback to Microsoft security experts.

The initiative "is a good overture to the government," said Pete Lindstrom, research director with Spire Security, a Malvern, Pa.-based consulting firm. "Certainly a perception has built up [in the industry and among users] that Microsoft is doing things under the covers that might not be appropriate, or that the code is so complex they haven't done a complete job in removing bugs."

However, "Microsoft has recognized that people are taking security concerns more seriously," Lindstrom added.

Indeed, during the past few years, Microsoft officials have been stung by criticism that the company is lax on security as new flaws were discovered in Microsoft software almost daily. Therefore, the company has moved to convince users that providing secure software is a major priority.

In 2001, Microsoft launched the Shared Source Initiative, which makes Windows source code available to trusted partners and customers. Last year, the company unveiled Trustworthy Computing, an effort to ensure that Microsoft software is rigorously tested for security vulnerabilities during development.

The GSP supports and builds on the Common Criteria certification, a globally accepted independent standard for evaluating the security features and capabilities of information technology products. Windows 2000 achieved CC certification in October 2002.

The CC certification provides a common set of requirements that enable customers worldwide to evaluate the security functions of IT products and systems. The GSP takes this step further by providing national governments with the information they need to perform extensive security analyses and audits of Microsoft products, company officials said.

So far, Russia and the North Atlantic Treaty Organization have signed GSP agreements with Microsoft. The company is in discussions with more than 20 countries about their interest in the program.

Participation in the program will be disclosed at the discretion of each government signatory. Microsoft will honor confidentiality agreements where necessary, company officials said.