Exchange ready to test secure code development in real world

When Microsoft completes development of Exchange 2003 next week it will not only be the end of a three-year effort but the beginning of a real-world gauntlet to test Microsoft’s promise to develop more secure code.

The company next week is releasing Exchange 2003 to manufacturing, which means CDs will be burned and made available to customers in the coming months. Microsoft also will announce pricing and licensing.

The software is only the second major server behind the April release of Windows 2003 that Microsoft has developed under the Trustworthy Computing banner, which chief software architect Bill Gates hung out in January 2002.

Gates vowed to make security a top priority when developing code, trumping Microsoft’s infatuation with feature bloat. After Gates’s declaration, Microsoft developers set aside work for two months to learn what it takes to write secure code.

While the move was well hyped, the proof is in the software and Exchange 2003 is the test case scenario.

While the Exchange server hasn’t been a high profile target, its Outlook client has been a hacker’s playground. New server features, however, such as allowing direct client connections to the server over HTTP, could potentially open up avenues for malicious activity and the Exchange team is bent on closing holes.

"How we know quality is there is very subjective, part of it is your gut," says Betsy Speare, Exchange 2003 release manager, who oversaw daily staff meetings and code builds. "The question is what are your development motivators. If they are around ship dates you won’t make the same decisions compared to your responsibility being the quality of the software."

The beginning Speare’s gut feeling began in March 2002, when the 450-strong Exchange team, including 175 developers and 175 testers, took eight weeks off for its Trustworthy Computing lesson. Once back to business, the focus was on code reviews, which are done for every new feature added, and threat analysis on such Exchange components as the message store, transport, and Active Directory integration, according to Simon Attwell, Exchange security program manager. The Exchange team used tools developed by Microsoft Research to automatically check code for known vulnerabilities such as buffer overflows. The tools churned through the code at each "build" and updated an issue tracking system. Attwell says the process was a welcomed change to the manual one used during the development of Exchange 2000.

Other processes also were done differently, says Speare. There was more upfront planning to establish development criteria and milestones, which led to the elimination of the typical round-the-clock marathons in the last week before a final release, she said.

"Planning gave us time to make better decisions along the way," says Speare.

Microsoft also had its 53 Joint Development Partners deploy some 170,000 seats of Exchange 2003 as compared to 80,000 during development of Exchange 2000. Every five weeks JDP customers and Microsoft’s Operations Technology Group (OTG), the internal IT department, got a new version of the code after it passed a couple of weeks of uptime in Microsoft’s "dog food" testing lab.