[ISN] Q&A: Microsoft Senior VP Paul Flessner on Trustworthy Computing

From: InfoSec News (isnat_private)
Date: Thu Apr 18 2002 - 00:33:43 PDT

  • Next message: InfoSec News: "[ISN] Security, Disaster Recovery Issues After Sept. 11"

    [Flessner dances around the questions in classic Microsoft fashion,
    which begs the question why he was being interviewed in the first
    place. From the sound of the article, I'd be willing to bet Microsoft
    has hired more food service employees in the timeframe that
    "Trustworthy Computing" became a real issue than security people  - WK]
    April 15, 2002 
    Paul Flessner, senior vice president of Microsoft Corp.'s .Net
    Enterprise Server group, talked about the company's ongoing
    Trustworthy Computing initiative during an interview late last week.
    Excerpts follow:
    Q: Can you discuss the impact of Microsoft's intensive security
    initiative on your product group?
    A: The security effort overall is in a couple dimensions. One, it's
    about education to the development teams. ... [Two], it's about a
    thorough review of the code. ...
    So the Windows team and the SQL Server team and the Exchange team and
    the e-business types and SMS management teams have all been through
    this process of training, code review. And now it's about how things
    are going to roll out and what fixes go where and how we're going to
    back-level some and how many just go forward, how many break
    compatibility. There's a lot of work and focus on that. ...
    Threat analysis is a big deal. ... It's one thing to be secure where
    people are supposed to come in. You know, do you have the right
    authentication? Do you have the right privileges? Do you belong to a
    group? That sort of thing. And I think we're pretty good at that
    today, and I think a lot of people and a lot of different systems are
    pretty good at that.
    It's this 'I didn't intend you to come in there,' and finding all of
    those and fixing them. That's the more complicated job. And we're
    doing a lot of stuff in that respect.
    We work with customers. We see how people get in, and we use that to
    make the fixes. We do analysis there. We're hiring outside experts to
    do threat modeling and threat analysis. We're building our own teams
    internally to do threat modeling and analysis.
    It's hard stuff. It actually takes a special kind of person who thinks
    ... out of the box. You really do want a very chaotic thinker. You
    don't want an analytical person to do it. It's a very different
    mind-set, because they have to be very generative in their thinking
    and think chaotically, and they kind of go at it like that. And then
    there's more structured analysis that comes after that.
    Q: Have you had to make any staffing shifts or changes because of the
    need for that type of person?
    A: We are hiring those people, if you can find them. They're very hard
    to find. We are trying to train internally people to start to think
    chaotically, if you can do that.
    Q: Were those the same internal people who were doing the security
    A: We're definitely supplementing with more people that think that
    way. A lot of the security people we had were the guys that were
    locking the doors and windows -- you know, the places where people
    were supposed to come in. And now we're having to supplement with
    these people that understand threat analysis better and think about
    chimneys and plumbing.
    Q: Where have you found them? Have you been hiring them from outside
    companies? Talking to young hackers?
    A: Yeah. We've talked to all of the above. And there are people that
    try to make a living in this space, consulting firms who do that. We
    do watch who's doing what and try to talk to them. There are people
    that kind of advertise themselves this way, and you talk to them.
    Coming out of school sometimes, there are people that just have a huge
    interest in this space. It's actually an area of research that's not
    well explored yet today, and we're talking to the research community
    about it.
    Q: How many people have you hired so far?
    A: For security only? I don't have an exact number. I don't know. It
    wouldn't be hundreds. It would be tens.
    Q: What kind of courses did you put your engineers through? Was it a
    set course that everybody took?
    A: We evolved it. ... Windows went through first, and we took their
    learnings and we modified the course data. Michael Howard is the
    gentleman at Microsoft who wrote this book Writing Secure Code. He had
    some information and we combined that with some third-party training,
    and we kind of evolved it and continue to make it better.
    So it's not a one-time thing. We'll be retraining people all the time.  
    As you come into Microsoft, before you code, you're going to be taking
    this training. There's a lot of effort going into making sure that
    people really understand how to do it, because it's just a change in
    thought, and it just takes that when you're writing your code.
    Q: What products have been most affected by the security reviews?
    A: That's hard to say. I don't know the answer, honestly. We're still
    kind of doing the analysis of what the impacts are. Windows went
    through first, and they're kind of still sifting through all of what
    they're going to do.
    But I feel very positive about it. I really do believe that the work
    we're doing is going to make a big difference. I think there's more we
    can do, but I really feel good about what we've done. ... I think our
    security model is very sound. Our failing, if you will, is not
    thinking like a criminal mind and going back and going through areas
    that we had no idea were vulnerable and patching that up.
    Q: Do you feel Microsoft gets a bad rap on the security front?
    A: I don't think we get a bad rap. ... There's a statistic out there
    of all the operating systems and all the vulnerabilities. ... It's
    statistically proven that we don't have more vulnerabilities than
    anybody else. It's just that we cover a huge installed base, and so
    when we are penetrated, it's a huge deal for customers. And we hate
    it. I mean, it makes me sick. It's just something that really bothers
    me. And we're going to do our best to plug it up.
    Q: Have any products had delayed ship dates because of this security
    A: Yeah, probably on one level, all of them. You know, all the next
    releases will have some impact by this work, and probably all of our
    releases going forward will. I mean, the reality is we have to think
    about the game differently.
    Q: What lessons have you learned as a result of the security review?
    A: I think the thing that pops up is, we call it code hygiene -- just
    the need to constantly be replacing code and upgrading it with the
    latest thinking and ideas. ... [With] each release, we go in, we
    rewrite a component of the code because it ages and it gets beat up
    over time because of maintenance.
    I think what we're going to be doing more ... is being more rigorous
    about inventorying our code and making sure that we replace it on a
    more timely basis so that we can get the latest thinking in it and the
    highest bar for quality.
    I think it's not only Microsoft's challenge; I think it's an
    industrywide challenge. I think we can do a lot more about the quality
    of our software.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 04:01:03 PDT