Protecting the enterprise

Microsoft’s new Vista operating system has placed more emphasis on security than any previous version of Windows.

It has added features like the Security Centre, which monitors the operating system’s multiple layers of security in the background, user account control, a built-in firewall, kernel patch protection and even a kernel security component requiring that any driver running at kernel level be tested and digitally signed by Microsoft.

These Vista security enhancements may have raised the bar, but at what cost?
The security aspects of the operating system have been improved at the price of complexity and in some respects changed for the sake of change – causing what is known as ‘code bloat’.

Simply, there are just too many lines of code!Gartner has been quoted as saying that “Microsoft will be forced to migrate Windows to a modular architecture tied together through hardware-supported virtualisation.”

“The current, integrated architecture of Microsoft Windows is unsustainable – for enterprises and for Microsoft,” according to Gartner analysts Brian Gammage, Michael Silver and David Mitchell Smith.

According to Gartner, Vista will be the last version of Windows that exists in its current monolithic form. Hence in the authors’ opinion one has to question any decision to migrate to an operating system that even prior to full public release has already been deemed to be unsustainable and that may quickly itself be obsolete as it will be forced to go through yet another significant change in the form of virtualisation as early as perhaps 2008 or 2009.

With respect to the size of Microsoft Vista in terms of code bloat, it has been estimated that Microsoft Vista has pushed the operating system to have now reached or exceeded 50,000,000 lines of code.

Many experts have claimed that there is a relationship between the number of lines of code in a given program and the number of expected bugs –vulnerabilities. In reality, there are several considerations that make this analogy too complex for generalisations.

The number of predicted vulnerabilities must also consider the programming language used, the quality assurance practices in use and the level of testing afforded.

While many dispute the analogy of the number of lines of code equating in some manner to the number of vulnerabilities, no-one can dispute the fact that to date with each new Windows release we have seen an increase in the number of lines of code as well as the number of reported vulnerabilities.

Historical vulnerability statistics for Windows NT 4.0 (16,000,000 lines of code), Windows 2000 Professional (29,000,000 lines of code) and Windows XP Pro (40,000,000 lines of code) are detailed below.

When Windows 2000 Professional was initially released we were told it was more secure the its predecessor Windows NT 4.0, yet Windows 2000 Professional has historically had five times the number of reported vulnerabilities as Windows NT 4.0!

When Windows XP Professional was released we were told it would be more secure then Windows 2000 Professional, yet Windows XP had significantly more reported vulnerabilities then Windows
2000 Professional.

Is it any wonder that users are sceptical of the claims by Microsoft that Windows Vista will be more secure then Windows XP?

Vista will need all the help it can get from its security enhancements; using historical studies Vista’s 50,000,000 lines of code are poised to contain in more than one million bugs, and “a typical commercial, closed source program has between 20 and 30 bugs per thousand lines of code”, according to study conducted by Carnegie Melon University’s CyLab.

In a May 2006 survey of executives that have tested Windows Vista, 44 percent found that Vista was too large, slow and memory hungry.

Will Microsoft Vista be able to reduce the need for third party security products?

On 9 November 2006, Microsoft’s Jim Allchin, while touting the new security features of Microsoft Vista, told a reporter that the system’s new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without anti-virus software installed. q

In part two of Paul Henry’s column, he goes on to question the decision for anyone to migrate to an operating system that is a monolithic form. The article will feature in CRN issue 217 out on 2 April.

Paul Henry is vice-president of technology evangelism at Secure Computing, a global provider of enterprise gateway security.