Scott Charney, Microsoft Corp.'s chief security strategist, was in Toronto Thursday and sat down with ITWorld Canada assistant editor Chris Conrath to discuss everything from securing Microsoft products to the fact the company is held to a high security standard, something he agrees is appropriate.
Chris Conrath: Microsoft's security initiative seems a never-ending project. How do you know when you are making progress?
Scott Charney: I came out of law enforcement. I was a prosecutor. (Your) question...made me remember I have been in the anti-crime business most of my professional career, and that never ends either. How do you know you are making progress? You look at statistics on street crime and all sorts of other things. You have to live with this notion that there is no victory; there is no finish line in your race. In the context of what we do at Microsoft, criminals will always attack systems just like there will always be crime. We will never be done, we understand that.
You have to live with this notion that there is no victory; there is no finish line in your race. Scott Charney>Text
But the big transition is that we went from a period where everyone hyped up the Internet and security was not even an afterthought to this environment where security has to be done early, often and forever. So the Microsoft security development lifecycle is about building threat models at the design time; having people trained and creating architectures that mitigate risk all the way through to the other end where you are patching a vulnerability in the marketplace to make it secure.
One thing you measure to see progress is intangibles (such as) the fact that the company has integrated security into everything it does. Okay, that is a victory. Also, you want to know that you are making the right bets in your investment strategies. One thing we do watch is the number of vulnerabilities for which we have to issue patches. You can count them. For example, with Windows Server 2003 (versus Windows 2000 Server) the number of vulnerabilities dropped in (the) first year of life from 42 to 14. That is improvement, but 14 is still too many. But on the other hand, the security push on Windows Server 2003 happened at beta time and we all know that is not the time to do security. So now we have the security development lifecycle in things like LongHorn (Microsoft’s next major operating system)...built early in the process.
But we do count vulnerabilities and see the numbers moving in the right direction. And they will go lower. Why? Because we are doing security earlier and learning from what we have done.
We have also (implemented) some internal processes as part of the security development lifecycle. We have created a secure Windows initiative, (spearheaded by) a group of security experts that help product groups build threat models. There is also the final security review (FSR). Essentially what happens now is you build threat models at design time, you have to architect and code to mitigate threats, you test against the threat models, which get updated as you go, and then at beta time we are still doing this security push since it is a good time to take another look. And then when the beta comes back you make your final changes. Then you have this FSR, where the secure Windows initiative team goes through all the bug scrubs, make sure all the security issues are rated the right way and mitigated effectively. And out of the FSR, groups are sometimes told they can’t ship yet. The first time we did this it was like a deer in the headlights. Historically the product groups were (pushing to) ship it. They are all excited about shipping it...but were told, no we have to (first) go back and mitigate this.