UPDATE: Looks like they keep stock-piling Security talent over there at Blue. This time Mike Andrews announces he will be joining the Bing team.
A few years ago I never would have imagined writing this, but it has become very apparent that Microsoft is a serious security company. Sure they have many issues to deal with, but doesn’t any company of this size?
There has been a recent piling of evidence that security is being taken very seriously in Redmond. Some of these examples include:
- They started holding the Bluehat Sessions, gathering various security experts (includes the likes of Dan Kaminsky and Robert Hansen->”RSnake” within multiple domains and having them work with and present in internal learning sessions.
- They formed their ACE team responsible for performance, security and privacy across Microsoft.
- They have published some of the first and only books and software on threat modeling.
- Microsoft published a security wiki, now in beta.
- Of course, everyone is aware of their Trustworthy Computing initiative.
- Believe it or not, an anti-XSS library from MS.
And now this. Mark Curphey is joining the Microsoft ACE team and bringing his product idea with him! This is a great hire for Microsoft and I am very much looking forward to the development of the Oxygen Security platform originally conceived by Mark at SourceClear. I have a great deal of respect for him and have had the opportunity to discuss with him his ideas around the product. For those who don’t know him, he has a great security background that includes the founding of OWASP and leadership positions at Foundstone and ISS.
Congratulations to Mark and Microsoft. Now get busy building Oxygen.
Thanks for the kind words Ed. I have ordered my laptop and booked my flights to Seattle for the first few weeks. Well have a product roadmap / vision ready to share and then I’ll make sure we capture your exact requirements in our product plans.
Like you I have witnessed a real effort and real results at MSFT. I don’t see other vendors pushing out the guidance that the PAG folks and the ACE team do. Its certainly no panacea and there is obviously a lot of work to do and an ongoing battle to fight but with the resources and commitment its going to be a great ride.
OK back to that business plan ! Thanks again.
I have to comment on this one – as i am secretly a MS lover at heart. When you are the largest “target” in the world, you have to do something. The way i look at MS and their ingeneous QA scheme is that they have by extension the largest security vulnerability testing group in the world. They get alot of their their testing done for free by their self-professed haters!
To handle this “popularity”, MS has arranged their internal QA departments and security departments to focus on the real time fixes as the vulnerabilities are found out in the “wild”. They have taken the initiative to use the security spotlight that they are in and do something about it. The amount of money that they invest just on the security/reengineering of the product is staggering to most companies. I would ask this question: Who is spending the same ratio as a percentage of overall revenue on security and QA? Who else needs to and will they follow this example when the vulnerabilities start to pile up?
With that said, they are one of the only companies to invest this much time and effort into the security of their platform. With their new Vista OS, for example, they have built in commercial grade encryption and they continue to release security patches monthly for Vista and all of the other OS that they support. They have also “listened” to the past mistakes made and pointed out by their illegal “open-source” community and put in the appropriate fixes.
Check out the research done on these additional security features from a research paper from a student out of Aukland University http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html – he must have been bored but he points out some interesting facts.
So with all of the people working on the security of the platform (internally and externally) and with all of the “real-time” security patching that is occurring you are getting a product that has a good level of security. The future looks bright and the economic payoff is that you are getting an OS that will stick around – because it is so secure.
[...] few years ago I never would have imagined writing this, but it has become very apparent that Microsoft is a serious security company. Sure they have many issues to deal with, but doesn’t any company of this [...]