Microsoft launches 'Gold' security partner program

From...

By By Sam Costello, IDG News Service

(IDG) -- In a move that the company hinted at in recent months following the Code Red and Nimda worms that exploited vulnerabilities in its software, Microsoft Corp. today announced its Gold Certified Partner Program for Security Solutions.

The program, which is a component of the company's existing partner programs, will provide Microsoft customers with references and links to security consultants and companies that have been trained, certified and tested by Microsoft to ensure quality, said Phil Putzel, program manager for the Gold Certified Partner Program.

Companies that participate in the program will be given early information about some products and will also receive technical training, product information, software licenses and sales and marketing aids, Putzel said. The program will officially launch early next month.

To become members of the Gold-level partner program (Gold is a step higher than the regular program), companies will have to be existing members of the certified partner program and they must have at least four employees who hold either Microsoft Certified Systems Engineer or Microsoft Certified Solution Developer certifications, at least two of whom must have passed three Microsoft Certified Professional tests. Interested companies must also agree to Microsoft's code of conduct for disclosing security vulnerabilities, the company said in a statement. The annual cost of the program is $1,450, Putzel said.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Microsoft offers security program for the enterprise Opinion: Bag the Gag Rule Study: Constant security fixes overwhelming IT managers Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

In return, Gold-level partners will receive training, sales and marketing support, customer referrals and a host of software licenses from Microsoft, Putzel said. In addition, the partners receive dozens of licenses for Microsoft software, including Windows and Office XP, SQL Server 2000, Windows 2000 server and developer tools, he said.

The code of conduct provision is likely to cause controversy, however. It carries out a proposal put forth by Microsoft in November under which information about security vulnerabilities would not be disclosed until patches to fix the problems are available. Many in the security and research communities contend that full disclosure of vulnerabilities is essential for creating work-arounds while they wait for patches. Full disclosure can also help stave off future security problems, they say.

Scott Culp, manager of the Microsoft Security Response Center, put forward the proposal in a paper posted on Microsoft's Web site, and reiterated the idea at the Trusted Computing Conference in November. The full disclosure of security vulnerabilities only aids hackers and led directly to the costly and serious Nimda and Code Red worms that attacked Microsoft's Internet Information Services Web server, he said in the paper. Code Red struck in July and August, Nimda in October.

The code of conduct in the new program will work along the lines of Culp's proposal, it would require security consultants and companies to pledge to inform the vendor of a problem, giving the vendor time to create a patch and giving users time to apply the patch before the flaw is fully disclosed, Culp said in an interview yesterday.

The code of conduct will lead companies to "handle security vulnerabilities responsibly and in a way that will protect the customers," he said.

Answering critics who charge that the true aim of the program is to hide the costly and embarrassing flaws in Microsoft products, he said, "There is no effort here to try to hide security vulnerabilities."

"All we have ever suggested is that when a security patch is made available, it's a good idea to give customers, say, a 30-day grace period" before posting details of how to exploit the vulnerability, he said. The program will allow Gold-level partners to notify their customers of any security holes they find, Culp said.