[ISN] Microsoft Security Guru Leaves Post

From: InfoSec News (isnat_private)
Date: Tue Dec 24 2002 - 02:36:23 PST

  • Next message: InfoSec News: "[ISN] Foreign Office security breach"

    By Dennis Fisher
    December 23, 2002 
    Scott Culp, the man responsible for Microsoft Corp.'s security
    response efforts, has left his post and moved to a new position within
    the company's Security Strategy Group.
    As manager of the Microsoft Security Response Center, Culp has been
    the public face of the software giant's efforts to respond to security
    problems in its products and improve its image within the security
    community. During his five years in the MSRC, Culp played a large role
    in the development of Microsoft's procedure for handling
    vulnerabilities, dealing with security researchers and getting patches
    and information out to customers.
    In his new role as a program manager for security strategies, Culp
    will be working on security projects across the company's product
    portfolio. He'll be working under Scott Charney, the chief security
    strategist at Microsoft, based in Redmond, Wash.
    "I'm proud to [have] played a role in building a high-quality program
    for responding to security issues in Microsoft products and helping
    our customers keep their systems secure," Culp said. "With Microsoft's
    increased focus on improving the security of its products through our
    Trustworthy Computing Initiative, I now am ready to try something new
    and and put my security experience to use in a new role at the
    Steve Lipner, director of security assurance, will still be
    responsible for the overall workings of the MSRC.
    Culp was the driving force behind Microsoft's current attitude toward
    the responsible handling of software vulnerabilities and the
    researchers and crackers who find them. In a widely read article he
    posted to Microsoft's security Web site in the fall of 2001, Culp
    denounced what he saw as the irresponsible publication by some in the
    security community of vulnerability data and exploit code before
    vendors have a chance to release patches for the issues.
    "It's high time the security community stopped providing blueprints
    for building these [worms and viruses]. And it's high time computer
    users insisted that the security community live up to its obligation
    to protect them," Culp wrote in the article. "We can and should
    discuss security vulnerabilities, but we should be smart, prudent, and
    responsible in the way we do it. If we can't eliminate all security
    vulnerabilities, then it becomes all the more critical that we handle
    them carefully and responsibly when they're found. Yet much of the
    security community handles them in a way that fairly guarantees their
    use, by following a practice that's best described as information
    anarchy. This is the practice of deliberately publishing explicit,
    step-by-step instructions for exploiting security vulnerabilities,
    without regard for how the information may be used."
    The paper drew strong reactions from people on both sides of the
    debate, with some researchers dismissing it as self-serving rhetoric
    designed to scare people away from looking for flaws in Microsoft
    products. Still, many in the security community say Culp make the most
    of a difficult, often thankless job.
    "Probably the most sensible thing Microsoft has done recently on the
    security front is to convince Scott Culp to move over to the
    relatively new group known as the Trustworthy Computing Initiative.  
    Scott has a rare combination of skills for the security world; he's
    not a programmer, and he is able to speak to people without making
    them hate him," said Russ Cooper, surgeon general of TruSecure Corp.,
    in Herndon, Va., and moderator of the NTBugTraq mailing list, who has
    often been at odds with Culp on security issues. "Combined, Scott has
    been very effective at gaining consensus within Microsoft on how to
    better handle security issues when they arise, and over the past four
    years has been very influential in effecting changes to the mindsets
    of product managers - making them appreciate the value of doing this
    correctly. In his new position Scott will, hopefully, have more time
    and status to effect further changes. Now if we can only get him to go
    after those folks in Windows Update more fervently."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 09:10:53 PST