[ISN] Microsoft's lessons from the desktop

From: InfoSec News (alerts@private)
Date: Wed Jun 27 2007 - 22:05:35 PDT


http://news.com.com/Microsofts+lessons+from+the+desktop/2009-1002_3-6189433.html

By Joris Evers
Staff writer, CNET News.com
June 27, 2007

Pete Boden wants people at Microsoft to think like criminals. That's why 
the company held its first "Blue Hat" meeting in 2005, which invited 
hackers onto the corporate campus for lectures and meetings intended to 
expose security employees to the mentality of digital intruders.

Although it has become a popular biannual event, Blue Hat can still be 
an unnerving experience at times as guest hackers occasionally break 
Microsoft products in front of the people who built them. But studying 
such simulated attacks--a process known as "threat modeling"--provides 
invaluable lessons in teaching developers how an application can be 
attacked and what the security controls should be.

"Often times, we find that developers are thinking like a developer or 
like a user," said Boden, senior director for MSN and Windows Live 
security at Microsoft.

That's the challenge facing Microsoft. Many company developers and 
executives believe that securing Web applications is no different from 
protecting PC desktop software, something the company has learned over 
the course of three decades. At the same time, Microsoft must 
acknowledge the crucial differences in pace and scale that are 
presenting some of the most difficult security challenges ever 
encountered in digital technology.

For all its successes, Microsoft has in the past reacted slowly to 
industry change or has underestimated its impact. Case in point: back in 
the mid-1990s the company misjudged the significance of the Internet and 
Web-based computing. What followed has become equal parts lesson and 
legend, a call to arms from Bill Gates that ultimately sank arch rival 
Netscape Communications and set the course of Internet history. More 
recently, Gates and CEO Steve Ballmer have admitted to miscalculating 
the value of Web search and digital music, long after Google and Apple 
stole the show.

It is understandable, therefore, why Microsoft is determined not to fall 
behind in Web security. The key, according to many within the company 
and beyond, is not treating it like just another set of desktop bugs.

"The same rules apply. It is not a new science, it is a different 
environment to apply the same science," Boden said. However, he 
stresses, "We have to be very careful not to get complacent about saying 
we understand the problem, because it is going to change right in front 
of our eyes."

The 18-year company veteran understands why many at Microsoft cling to 
the notion that Web and desktop security are essentially the same. 
Although the types of threats change, Boden says desktop and server 
security lessons are equally valid when applied to online applications.

"There are pieces that are different," he said. "But the discipline of 
understanding what could break, how it could break, the impact of it 
breaking, how we protect it, how we respond to any event, those are 
fundamentally the same."

The main differences--and they are crucial--are speed and size. As Boden 
says, securing Web applications is all about scaling; if security 
doesn't scale, data could be at risk.

A year ago, Microsoft had about 30,000 servers in its data centers to 
support its online services. This year that's up to 80,000, and more 
growth is planned.

"The business stakes are enormous in this area," Boden said. "If we or 
anybody in this business violates the users' trust, then we're 
essentially out of the business."


Learning the hard way

If Microsoft veterans sometimes sound as if they've seen it all before, 
there's good reason: they've learned the hard way.

Five years ago, Microsoft's customers were getting hammered. That's when 
Gates launched his Trustworthy Computing initiative to make security a 
priority. Industry analysts have praised the effort, even though there 
are still plenty of vulnerabilities found in Microsoft software and 
attacks still occur.

Inside the MSN and Windows Live security offices, banners still work to 
remind employees of the importance of security, and a "Security 
Scorecard" keeps track of performance and ties into individual reviews. 
Pete Boden

The regimented approach hasn't always been welcomed by the rank and 
file. Like human resources and IT staffs, the security department of any 
company is sometimes viewed like the internal affairs division within 
the police force--they're paid to keep an eye on you. The 55 members of 
the MSN and Windows Live security team set policies, assess risks and 
respond to security incidents.

Not surprisingly, initial efforts to reach out to other departments and 
employees were met with trepidation.

"We had a robotic image on a lot of our awareness campaign materials 
last year, and it portrayed a very stern, standoffish approach to the 
team," Boden said. "We went away from that, specifically because we want 
to build better relationships with the development teams."

Things are better now. Boden's department is engaged in an ongoing 
marketing campaign within the company, which includes hosting regular 
happy hours with local brews and chips and salsa.

"Redhook, Mac and Jack's, we're not short on beer here in the 
Northwest," Boden said.

Despite their unique mission, Boden's team in many ways represents a 
cross-section of the company. Members vary from someone who was hired 
straight out of high school at age 17 to veteran professionals with 
doctoral degrees in computer science.

Boden's background is equally diverse. Born in the United States to 
British citizens, he grew up in Southport, England, and attended high 
school in Philadelphia. It was a Tandy TRS-80 that first got him 
interested in computers. He worked for Deloitte Consulting before 
joining Microsoft, where he managed desktops and servers before falling 
into security as a project manager on Windows 2000.

"I found I enjoyed the challenges and pace of the security function much 
more than deploying software," Boden said.

He's certainly got plenty of what he asked for. As Microsoft has grown 
with Web technology, the threats to the empire have multiplied 
commensurately.

Vulnerabilities on the Web include cross-site scripting bugs that could 
leave personal accounts vulnerable to hijacking, facilitate 
data-thieving phishing scams or let hackers plant malicious code on a 
trusted site. Another commonly discussed problem is SQL injection, where 
an attacker could gain control over a database behind a Web application.

And with expansion has come additional risk, including complications 
raised by new business relationships with other companies that host 
parts or all of Microsoft-branded Web sites. In 2005, for example, an 
MSN Korea partner fell victim to cybercriminals who created a nefarious 
program that recorded user credentials for an online game onto the PCs 
of MSN Korea customers.

That same year, Microsoft kicked off its online initiative, proclaiming 
the "live era" of software. It announced online complements to Office 
and Windows. Recently, it unveiled a revamped version of Hotmail, one of 
its early online applications.

The "live" push is Microsoft's bid to partake in the online applications 
surge. These applications are helped by new development techniques such 
as Ajax that stretch the abilities of what Web sites can do, making them 
act more like traditional desktop apps. That, in turn, has translated to 
new opportunities for security breaches as well.

"It puts stress on our program, but we have been successful in creating 
a security model that really pushes accountability back to the business 
teams," Boden said.

In sharing responsibility for security across the company, Microsoft is 
similar to its rivals. As mashups become an increasingly common form of 
developing, cooperation on security is essential for connecting multiple 
online applications.

Above all, Boden--like his counterparts at rival companies--says it is 
crucial to keep in mind why security is so important. As people continue 
to store their information online, the Web is becoming the equivalent of 
their personal filing cabinet.

To that end, Boden and his family are no different: they store all their 
personal data in Web applications.

"We're definitely all in," he said. "So if it fails, it fails for me 
personally and professionally."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 27 2007 - 22:11:28 PDT