Scott Charney, Microsoft Corp.’s chief security strategist and vice-president, Trustworthy Computing, was in Toronto recently and sat down with ComputerWorld Canada assistant editor Chris Conrath to discuss everything from securing Microsoft products to the fact the company is held to a high security standard, something he agrees is appropriate.
Microsoft’s security initiative seems a never-ending project. How do you know when you are making progress?
I came out of law enforcement. I was a prosecutor. (Your) question…made me remember I have been in the anti-crime business most of my professional career, and that never ends either. How do you know you are making progress? You look at statistics on street crime and all sorts of other things. You have to live with this notion that there is no victory; there is no finish line in your race. In the context of what we do at Microsoft, criminals will always attack systems just like there will always be crime. We will never be done, we understand that.
But the big transition is that we went from a period where everyone hyped up the Internet and security was not even an afterthought to this environment where security has to be done early, often and forever. So the Microsoft security development life cycle is about building threat models at the design time: having people trained and creating architectures that mitigate risk all the way through to the other end where you are patching a vulnerability in the marketplace to make it secure.
One thing you measure to see progress is intangibles (such as) the fact that the company has integrated security into everything it does. Okay, that is a victory. Also, you want to know that you are making the right bets in your investment strategies. One thing we do watch is the number of vulnerabilities for which we have to issue patches. You can count them. For example, with Windows Server 2003 (versus Windows 2000 Server) the number of vulnerabilities dropped in (the) first year of life from 42 to 14. That is improvement, but 14 is still too many. But on the other hand, the security push on Windows Server 2003 happened at beta time and we all know that is not the time to do security. So now we have the security development life cycle in things like Longhorn (Microsoft’s next major operating system)…built early in the process.
But we do count vulnerabilities and see the numbers moving in the right direction. And they will go lower. Why? Because we are doing security earlier and learning from what we have done.
We have also (implemented) some internal processes as part of the security development life cycle. We have created a secure Windows initiative, (spearheaded by) a group of security experts that help product groups build threat models. There is also the final security review (FSR). Essentially what happens now is you build threat models at design time, you have to architect and code to mitigate threats, you test against the threat models, which get updated as you go, and then at beta time we are still doing this security push since it is a good time to take another look. And then when the beta comes back you make your final changes. Then you have this FSR, where the secure Windows initiative team goes through all the bug scrubs, make sure all the security issues are rated the right way and mitigated effectively. And out of the FSR, groups are sometimes told they can’t ship yet. The first time we did this it was like a deer in the headlights. Historically the product groups were (pushing to) ship it. They were all excited about shipping it…but were told, no we have to (first) go back and mitigate this.
What has been the biggest disappointment in pushing forward Microsoft’s trustworthy computing initiative?
I can’t say I am really disappointed. The big things, like the cultural changes, are happening. The security development life cycle is happening. There is always a lag in perception versus where you are. That can be in both directions, like a consumer report that says a product is great but it has actually been in decline for a number years but the reputation is still good. I suppose it is more a frustration. I travel all over the world talking about what we are doing, and you have to do that because it is really important — and you meet so many people who still think that it is the old Microsoft. We have been publishing books on writing secure code, giving speeches, holding conferences but it is hard to touch everybody even in an Internet-connected world.
Given what could be perceived as a lack of understanding by many of Microsoft’s efforts on security, do you think the company gets a fair shake?
Our ubiquity, of course, makes us a target for criminals. And one thing that has changed within the company is our recognition that we are a critical infrastructure provider. The company prides itself, and rightly so, on being the world’s largest start-up, and you want to keep that flavour and innovation. But on the other hand we are a critical infrastructure provider. So many people are affected by what we do. People will hold us to a higher (standard) and I actually think that is fair. When Slammer hit, and we were talking internally about what to say to our customers, we understood that it was not just about them. You could have someone who is a Linux devotee, and actually hates Microsoft and would never go near our products with a 50-foot pole, but that can’t access a site as the Internet is clogged because of the Slammer worm. So it is not just about communicating with our customers, it is about communicating with everyone because people are affected by us even if they are not running our stuff. This is true for other areas too; 9/11 shut down the airlines but some people thought it didn’t affect them because they didn’t fly. They weren’t thinking that they can’t get their mail because the post office uses commercial airlines. The impact is broader than what you see on the surface. I actually think that because of our ubiquity we are going to be held to a high standard and I think that is appropriate.