[ISN] Microsoft Security: What's Next?

From: InfoSec News (isnat_private)
Date: Wed Jan 08 2003 - 02:56:30 PST

  • Next message: InfoSec News: "[ISN] California disclosure law has national reach"

    By Dennis Fisher
    January 7, 2003 
    Scott Charney has been on the hot seat ever since he joined Microsoft 
    Corp. last year as the software giant's chief security strategist. He 
    arrived in Redmond, Wash., four months after Bill Gates sent out his 
    famous memo outlining the company's new Trustworthy Computing 
    initiative and a newfound commitment to security. He is not only the 
    public face of that effort but also the man who is ultimately 
    responsible for carrying out Gates' instructions regarding security. 
    Charney talked to eWEEK Senior Editor Dennis Fisher recently about the 
    progress Microsoft has made in the last year and what lies ahead for 
    Trustworthy Computing. 
    eWEEK: How do you think the company has done as far as Trustworthy 
    Computing is concerned in the last year? 
    Charney: In some ways, I think we've made great progress. But then I 
    look at it as a continuum, and it seems like we've made very small 
    steps on a very long road. Some of the steps have been important ones. 
    Before Trustworthy Computing, the delaying of products because of 
    security concerns was not common practice at Microsoft—or in the 
    industry, for that matter. It's an organizational change. Trustworthy 
    Computing is a long-term effort, and some of the benefits have not yet 
    been realized in the market. 
    eWEEK: How so? 
    Charney: Well, Windows .Net Server [2003] hasn't been released yet, 
    but a lot of the work we've done in the security push will be evident 
    in that release. We're doing a lot of after-action efforts where we 
    look at things like whether the vulnerabilities we found in the 
    security push are unique to a product or more widespread. We will 
    continue the push constantly on every new product that we release. 
    Overall, I'm very pleased, but we still have a long way to go. 
    eWEEK: What other elements of Trustworthy Computing are you working 
    Charney: One of things I'm looking at is, how do you come up with an 
    objective measure of the security of a product? Our chief privacy 
    officer, Richard Purcell, has developed this tool called the Privacy 
    Health Index to assess the performance of each application. But when 
    you think about trying to apply that to security, it gets kind of 
    fuzzy. The questions we ask as part of the privacy index are binary, 
    yes or no. But if you ask a developer if he did a security code review 
    and he says yes, what does that mean? It's a really important thing. 
    We're struggling to find the right system. 
    eWEEK: What are some of the things that you'd like to address in the 
    coming year? 
    Charney: I think it's important to [do the security] push on products 
    that are taking on new roles in the marketplace, things like instant 
    messaging and handhelds. We need to get ahead of the curve to make 
    sure that we're sensitive to how the technology's being used. We need 
    to continue to make progress on Palladium. Our goal is making security 
    easier to use. Think about how difficult it is to manage security. The 
    technology has proliferated much faster than the training has. We need 
    to analyze the training program, too. It's amazing how many people who 
    have computer science degrees have no security training. 
    eWEEK: Do you think the idea of improving security has really taken 
    hold inside the company? 
    Charney: I do. The number of e-mails that I see with people raising 
    security issues is huge. That didn't happen before. The cultural 
    change is very marked and very real. 
    eWEEK: You've talked a lot about the security training that all of 
    Microsoft's developers went through. Is that something that will be 
    ongoing in the future? 
    Charney: Definitely. There's going to be continuous training. We're 
    looking at ways to improve it and come up with an agenda for 
    continuous professional growth. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 05:54:39 PST