• United States

Exchange ready to test secure code development in real world

Jun 27, 20035 mins
Enterprise ApplicationsMessaging AppsMicrosoft

When Microsoft completes development of Exchange 2003 next week it will not only be the end of a three-year effort but the beginning of a real-world gauntlet to test Microsoft’s promise to develop more secure code.

The company next week is releasing Exchange 2003 to manufacturing, which means CDs will be burned and made available to customers in the coming months. Microsoft also will announce pricing and licensing.

The software is only the second major server behind the April release of Windows 2003 that Microsoft has developed under the Trustworthy Computing banner, which chief software architect Bill Gates hung out in January 2002.

Gates vowed to make security a top priority when developing code, trumping Microsoft’s infatuation with feature bloat. After Gates’s declaration, Microsoft developers set aside work for two months to learn what it takes to write secure code.

While the move was well hyped, the proof is in the software and Exchange 2003 is the test case scenario.

While the Exchange server hasn’t been a high profile target, its Outlook client has been a hacker’s playground. New server features, however, such as allowing direct client connections to the server over HTTP, could potentially open up avenues for malicious activity and the Exchange team is bent on closing holes.

“How we know quality is there is very subjective, part of it is your gut,” says Betsy Speare, Exchange 2003 release manager, who oversaw daily staff meetings and code builds. “The question is what are your development motivators. If they are around ship dates you won’t make the same decisions compared to your responsibility being the quality of the software.”

The beginning Speare’s gut feeling began in March 2002, when the 450-strong Exchange team, including 175 developers and 175 testers, took eight weeks off for its Trustworthy Computing lesson. Once back to business, the focus was on code reviews, which are done for every new feature added, and threat analysis on such Exchange components as the message store, transport, and Active Directory integration, according to Simon Attwell, Exchange security program manager. The Exchange team used tools developed by Microsoft Research to automatically check code for known vulnerabilities such as buffer overflows. The tools churned through the code at each “build” and updated an issue tracking system. Attwell says the process was a welcomed change to the manual one used during the development of Exchange 2000.

Other processes also were done differently, says Speare. There was more upfront planning to establish development criteria and milestones, which led to the elimination of the typical round-the-clock marathons in the last week before a final release, she said.

“Planning gave us time to make better decisions along the way,” says Speare.

Microsoft also had its 53 Joint Development Partners deploy some 170,000 seats of Exchange 2003 as compared to 80,000 during development of Exchange 2000. Every five weeks JDP customers and Microsoft’s Operations Technology Group (OTG), the internal IT department, got a new version of the code after it passed a couple of weeks of uptime in Microsoft’s “dog food” testing lab.

The company also polled feedback from its own end-users once OTG had Exchange 2003 running live in November. It was the first time the company had polled end-users during development and the process was done every week until launch.

Also in November, Microsoft prepared for the release of its first beta, which shipped in January 2003. Exchange testers spent three months checking features against established release criteria.

In February and March, with the feature set complete, development ceased and the focus was on finding and fixing security issues. It was the first time ever such a process had been initiated in the development cycle.

Independent security testing firm @stake, which works with four of the top 10 software vendors, was brought in to do two-weeks of penetration testing, including close scrutiny of possible vulnerabilities in client connections.

Chris Wysopal, director of research and development for @stake said his team found about 30 bugs and made two recommendations to meet Microsoft’s “secure by default” criteria, including changing a default so the only open RPC port was the one used by Outlook to talk to Exchange.

Microsoft followed with its own internal security task force review during March.

The Exchange team spent from late March to mid-May on 1,000 release criteria tests, a series of scenario-based tests such as deploying public folders in a clustered environment with a diverse set of client access options. There was also another three-week test period with JDP customers and Microsoft’s OTG before the first release candidate was shipped on June 2. OTG continued with its testing up until the code was released to manufacturing.

“We are feeling very confident about this product,” says Microsoft’s Attwell.

Confidence and a battery of new secure development techniques not withstanding, the real testing in set to begin on the customer gauntlet.

The pricing of the base server has not changed compared to Exchange 2000. The Standard Edition is priced at $699 per CPU and is targeted at 50 to 5,000 users. The Standard Edition will support Outlook Web Access, the browser client that runs off the Exchange server. The Enterprise Edition is priced at $3,999 per CPU and includes support for clustering and storage.

The general availability of Exchange 2003 is expected to coincide with the release of Office 2003, which includes the Outlook 2003 client.