[ISN] Scott Charney: Microsoft's Ax Man

From: InfoSec News (alerts@private)
Date: Mon Apr 28 2008 - 23:52:11 PDT


http://www.pcworld.com/businesscenter/article/145137/scott_charney_microsofts_ax_man.html

By Nancy Gohring
IDG News Service
April 25, 2008 

Some people might dream of having the power to kill a product just 
before launch at a company the size of Microsoft, but for Scott Charney, 
that's just part of the job.

Charney, vice president of trustworthy computing, was hired by Microsoft 
in early 2002 to spearhead the company's security strategy. He built a 
team that looks for vulnerabilities in products during development and 
works to implement security into product design. If the team finds an 
issue, even if the product is just about to ship, Charney can order the 
product back to the drawing board until the problem is fixed.

Microsoft's implementation of its secure-development lifecycle process 
has led the industry, said Andrew Jaquith, an analyst at Yankee Group. 
"They have really been a pacesetter in this area," he said.

Still, Microsoft didn't create the initiative out of choice, Jaquith 
said. "It was born out of necessity because customers were threatening 
to defect," he said. Microsoft once had an internal list, called the 
executive hot list, made up of "customers so furious with security that 
they called [Bill] Gates or [CEO Steve] Ballmer personally," Jaquith 
said. "In many respects, that caused the trustworthy computing 
initiative to be born." Microsoft's public-relations firm said that the 
company would not comment on the matter.

Since Charney joined Microsoft, on five occasions vice presidents in 
charge of products have disagreed with his no-ship order, Charney said 
recently to a group of reporters at Microsoft's headquarters in Redmond, 
Washington. Craig Mundie, chief research and strategy officer at 
Microsoft, was called to settle the disputes, and each time he sustained 
Charney's no-ship order.

Once, Charney reversed his no-ship order himself. That was after his 
team found out about an issue in Windows Mobile 2003 that should have 
been fixed before it shipped, he said. But then Pieter Knook, who was in 
charge of Microsoft's mobile communications business until he left the 
company this February, explained that delaying the product launch would 
mean missing the end-of-year holiday season -- and that the issue could 
be fixed after the launch. Charney decided to let the operating system 
ship.

His team typically finds issues during development and makes sure the 
problems are fixed, he said.

"Every now and again we get surprised," he said. Sometimes a 
vulnerability is discovered in an older version of a product, and his 
team realizes that a newer version in development might also have the 
same problem.

Microsoft hired Charney, who had worked for the U.S. Department of 
Justice and served as assistant district attorney in the Bronx, at what 
he said was a unique time. The Sept. 11 attacks had just happened, and 
two major computer viruses, Code Red and Nimba, had recently spread 
rapidly across the Internet. That combination of events created a unique 
environment, when previously complacent vendors and governments realized 
they needed to get more serious about computer security, he said.

Since then, Microsoft's trustworthy computing initiative has been 
largely successful, although there are still a few sore spots, Jaquith 
said. Security researchers are impressed by the improvements in 
Microsoft's products and say that the company is being much more 
transparent about its security processes than it used to, he said. 
Microsoft has also improved its response times to customer concerns 
about security, he said.

But there are some vulnerable aspects of Microsoft's software that the 
company hasn't fixed and doesn't appear to intend to fix, Jaquith said. 
For example, Microsoft has not addressed certain security issues in 
Internet Explorer's ActiveX, a major vector for malware, he said.

The next step in Charney's vision for trustworthy computing is securing 
the Internet. He recently unveiled a new initiative that is, in essence, 
a call to arms for all Internet companies to work together to create a 
more trusted Internet. In a white paper, he broadly describes 
Microsoft's vision and invites feedback on the ideas. Microsoft is 
asking "all who care about online safety to join in a robust and 
meaningful discussion about building a more trusted Internet," Charney 
wrote in a statement about the initiative.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Apr 28 2008 - 23:57:03 PDT