Politics over risk management can cost a lot of money: Microsoft

After a small avalanche of statements and some technical detail at the recent RSA Security conference in San Francisco, Microsoft's bowling-shirted evangelical Security Summit promotional roadshow paid a whistlestop visit to Australia last week.

While there have been some notable doubts about the vendor's will to deliver secure code for some time, let there be no doubt whatsoever about the software behemoth's marketing prowess. For those that have not noticed, Microsoft is really serious about security this time around and it means it.

For starters, Microsoft director of security, George Stathakopoulos, said meaningful detail on the controversial Next Generation Secure Computing platform will emerge in "a year to a year and a half", adding that a lot more will be unveiled with Longhorn – but not to take him as the authority on the official time lines.

"We want to get it right. We are doing things with memory management so that you are not leaving bits of memory all over the place. We are providing mechanisms for developers to create code that is very fine-grained. They will give you the code blocks that will make it possible for developers not to dumb stuff down," Stathakopoulos said.

Moving from stick to carrot, Stathakopoulos said that coders could be "positively motivated".

"If you have a kid, you can give them boundaries and that makes them happier," Stathakopoulos said, adding that parents would know what he meant.

Meanwhile, security business unit product manager Steve Riley was doing his level best to inspire developers - and avoid sanitised corporate double-speak. True to form, the man most feared by the vendor's issues management staff (apart from Bill) was delivering pearlers.

"We screwed up when we said TRUST US," Riley said before launching into a cavalcade of methods to knock out gaping ports and buffer overflow opportunities. The security unit at Microsoft now had "the power of veto over the rest of the business", Riley added and then proceeded to outline customer feedback.

"This is what we learned from our most pissed-off customers, like MSN. When we say patch, they say WHAT because they have 30,000 servers."

Riley then dived into what he termed "immutable laws" of patch management.

"Law number two: there is no patch for bad judgement," Riley proclaimed.

Behind him, on huge video screens, a larger-than-life image of Steve Irwin appeared followed by a short movie of Irwin taunting an agitated female crocodile by repeatedly smacking it on the nose. Time after time the poor, tormented reptile snapped at Irwin's hand only to miss.

"I like to offer up each country its own national embarrassments," Riley joked.

Then, after what seemed an eternity, Irwin's hand finally felt the ivories of the reptile come down and embed themselves into him.

"Crikey that was close! That could have crushed me," Irwin shouted, his hand punctured and bleeding.

"He knew the risks," Riley mused. "Politics over risk management can cost you a lot of money".

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftMSNRSA, The Security Division of EMCSecure Computing

Show Comments