Despite Latest Threats, Microsoft's Cyber Czar Optimistic About IT Security
Despite the recent spate of headline-grabbing security breaches and accusations that foreign governments are sponsoring cyber-attacks, the head of Microsoft's Trusted Computing group, Scott Charney, remains optimistic about the future of IT security. Speaking to attendees at the annual RSA security conference in San Francisco last week, Charney said that his optimism is "not delusional" but "based in fact" -- specifically, the growing adoption of secure software development practices and the evolution of the trusted software stack.
"We have made great headway and now done a bunch of things that make us secure," Charney said. "It creates for us an opportunity to fundamentally reshape our posture, where we can be less reactive and more predicative."
Charney pointed to Microsoft's own Secure Development Lifecycle (SDL), which is part of the company's Trustworthy Computing initiative. The SDL is a set of development requirements aimed at reducing security defects in software. The process outlines a series of security-focused activities for each phase of the software development process, including the development of threat models during the design phase, the use of static analysis code-scanning tools during the implementation phase, and the conduct of code reviews and security testing during a focused "security push" phase. Before software subject to the SDL can be released, it must undergo a final security review by a team independent from its development group.
"Attackers will attack the weakest links," Charney said. "Microsoft's biggest accomplishment with the secure development lifecycle was that we proved we could scale it across 36,000 engineers." He added: "Organizations are adopting SDL practices, and producing more secure software."
Charney also pointed to the introduction of the Unified Extensible Firmware Interface (UEFI) specification, which is designed to provide a more secure alternative to the Basic Input/Output System (BIOS) by providing a more secure boot. Machines that come with Windows 8 preinstalled use the UEFI spec.
But Charney never mentioned the worldwide outage of Microsoft's Azure cloud-storage service late last month, the result of an expired SSL certificate, which the company confirmed late last week blamed on a breakdown of its own processes. At the same time, the company acknowledged intruders attacked some systems in its Macintosh business group. The company said the intrusion was part of a similar cyber-attack that targeted Facebook and Apple. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations," Microsoft said in a statement.
Neither did he mention recent attacks on The New York Times, The Wall Street Journal, and Twitter, though he alluded to them. "In the last year the world has changed from a client server view of the world to a more complicated model due to the cloud," he said. "The world is now also increasingly looking at regulations, compliance and certifications."
If there is a reason to share Charney's optimism about the future of IT security, it's not because of the SDL, says John Viega, EVP at cloud solutions provider SilverSky.
"It's because people are rarely being infected through software vulnerabilities," Viega told Redmond. "It's usually through social engineering. And frankly, people have learned to accept a certain amount of risk from software. It's a bit like accepting the risk associated with driving a car."
Viega, who co-authored a number of well-known books on software security, including Building Security In (with Gary McGraw, Addison-Wesley Professional, 2001), participated in a two-person debate at this year's RSA conference, arguing with Adobe's Brad Arkin the question: "Is security software a waste of time?"
Viega agreed that the application layer has become a focus of targeted attacks, and during the RSA debate, he essentially argued for SDL-like approaches to software development. But he added in a later interview that, although Microsoft is making progress, "the SDL works well for Microsoft, but it doesn't really work well for anyone else."
Viega suggested that the time and money many organizations spend on software security initiatives might be better spent on fixing flaws after applications are shipped or deployed.
"The bad guys are always going to look for the low-hanging fruit," he said. "And that often is the app. But even if you do plug that hole, the bad guys are still leveraging social engineering, even when there is a vulnerability."
Viega also hastened to point out that the recent breach at Microsoft was an IT organization problem, which is not Charney's bailiwick.