Q&A: Microsoft Senior VP Paul Flessner on Trustworthy Computing

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO70176,00.html

[Flessner dances around the questions in classic Microsoft fashion,
which begs the question why he was being interviewed in the first
place. From the sound of the article, I'd be willing to bet Microsoft
has hired more food service employees in the timeframe that
"Trustworthy Computing" became a real issue than security people  - WK]


By CAROL SLIWA 
April 15, 2002 

Paul Flessner, senior vice president of Microsoft Corp.'s .Net
Enterprise Server group, talked about the company's ongoing
Trustworthy Computing initiative during an interview late last week.
Excerpts follow:


Q: Can you discuss the impact of Microsoft's intensive security
initiative on your product group?

A: The security effort overall is in a couple dimensions. One, it's
about education to the development teams. ... [Two], it's about a
thorough review of the code. ...

So the Windows team and the SQL Server team and the Exchange team and
the e-business types and SMS management teams have all been through
this process of training, code review. And now it's about how things
are going to roll out and what fixes go where and how we're going to
back-level some and how many just go forward, how many break
compatibility. There's a lot of work and focus on that. ...

Threat analysis is a big deal. ... It's one thing to be secure where
people are supposed to come in. You know, do you have the right
authentication? Do you have the right privileges? Do you belong to a
group? That sort of thing. And I think we're pretty good at that
today, and I think a lot of people and a lot of different systems are
pretty good at that.

It's this 'I didn't intend you to come in there,' and finding all of
those and fixing them. That's the more complicated job. And we're
doing a lot of stuff in that respect.

We work with customers. We see how people get in, and we use that to
make the fixes. We do analysis there. We're hiring outside experts to
do threat modeling and threat analysis. We're building our own teams
internally to do threat modeling and analysis.

It's hard stuff. It actually takes a special kind of person who thinks
... out of the box. You really do want a very chaotic thinker. You
don't want an analytical person to do it. It's a very different
mind-set, because they have to be very generative in their thinking
and think chaotically, and they kind of go at it like that. And then
there's more structured analysis that comes after that.


Q: Have you had to make any staffing shifts or changes because of the
need for that type of person?

A: We are hiring those people, if you can find them. They're very hard
to find. We are trying to train internally people to start to think
chaotically, if you can do that.


Q: Were those the same internal people who were doing the security
before?

A: We're definitely supplementing with more people that think that
way. A lot of the security people we had were the guys that were
locking the doors and windows -- you know, the places where people
were supposed to come in. And now we're having to supplement with
these people that understand threat analysis better and think about
chimneys and plumbing.


Q: Where have you found them? Have you been hiring them from outside
companies? Talking to young hackers?

A: Yeah. We've talked to all of the above. And there are people that
try to make a living in this space, consulting firms who do that. We
do watch who's doing what and try to talk to them. There are people
that kind of advertise themselves this way, and you talk to them.

Coming out of school sometimes, there are people that just have a huge
interest in this space. It's actually an area of research that's not
well explored yet today, and we're talking to the research community
about it.


Q: How many people have you hired so far?

A: For security only? I don't have an exact number. I don't know. It
wouldn't be hundreds. It would be tens.


Q: What kind of courses did you put your engineers through? Was it a
set course that everybody took?

A: We evolved it. ... Windows went through first, and we took their
learnings and we modified the course data. Michael Howard is the
gentleman at Microsoft who wrote this book Writing Secure Code. He had
some information and we combined that with some third-party training,
and we kind of evolved it and continue to make it better.

So it's not a one-time thing. We'll be retraining people all the time.  
As you come into Microsoft, before you code, you're going to be taking
this training. There's a lot of effort going into making sure that
people really understand how to do it, because it's just a change in
thought, and it just takes that when you're writing your code.


Q: What products have been most affected by the security reviews?

A: That's hard to say. I don't know the answer, honestly. We're still
kind of doing the analysis of what the impacts are. Windows went
through first, and they're kind of still sifting through all of what
they're going to do.

But I feel very positive about it. I really do believe that the work
we're doing is going to make a big difference. I think there's more we
can do, but I really feel good about what we've done. ... I think our
security model is very sound. Our failing, if you will, is not
thinking like a criminal mind and going back and going through areas
that we had no idea were vulnerable and patching that up.


Q: Do you feel Microsoft gets a bad rap on the security front?

A: I don't think we get a bad rap. ... There's a statistic out there
of all the operating systems and all the vulnerabilities. ... It's
statistically proven that we don't have more vulnerabilities than
anybody else. It's just that we cover a huge installed base, and so
when we are penetrated, it's a huge deal for customers. And we hate
it. I mean, it makes me sick. It's just something that really bothers
me. And we're going to do our best to plug it up.


Q: Have any products had delayed ship dates because of this security
review?

A: Yeah, probably on one level, all of them. You know, all the next
releases will have some impact by this work, and probably all of our
releases going forward will. I mean, the reality is we have to think
about the game differently.


Q: What lessons have you learned as a result of the security review?

A: I think the thing that pops up is, we call it code hygiene -- just
the need to constantly be replacing code and upgrading it with the
latest thinking and ideas. ... [With] each release, we go in, we
rewrite a component of the code because it ages and it gets beat up
over time because of maintenance.

I think what we're going to be doing more ... is being more rigorous
about inventorying our code and making sure that we replace it on a
more timely basis so that we can get the latest thinking in it and the
highest bar for quality.

I think it's not only Microsoft's challenge; I think it's an
industrywide challenge. I think we can do a lot more about the quality
of our software.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.