Paul Flessner, senior vice president of Microsoft's .Net Enterprise Server group, talked about the company's ongoing Trustworthy Computing initiative during an interview late last week with Computerworld's Carol Sliwa. Excerpts follow:
Q: Can you discuss the impact of Microsoft's intensive security initiative on your product group? The security effort overall is in a couple dimensions. One, it's about education to the development teams. ... [Two], it's about a thorough review of the code. ...
So the Windows team and the SQL Server team and the Exchange team and the e-business types and SMS management teams have all been through this process of training, code review. And now it's about how things are going to roll out and what fixes go where and how we're going to back-level some and how many just go forward, how many break compatibility. There's a lot of work and focus on that. ...
Thread analysis is a big deal. ... It's one thing to be secure where people are supposed to come in. You know, do you have the right authentication? Do you have the right privileges? Do you belong to a group? That sort of thing. And I think we're pretty good at that today, and I think a lot of people and a lot of different systems are pretty good at that.
It's this 'I didn't intend you to come in there,' and finding all of those and fixing them, that's the more complicated job. And we're doing a lot of stuff in that respect.
We work with customers. We see how people get in, and we use that to make the fixes. We do analysis there. We're hiring outside experts to do thread modeling and thread analysis. We're building our own teams internally to do thread modeling and analysis.
It's hard stuff. It actually takes a special kind of person who thinks ... out of the box. You really do want a very chaotic thinker. You don't want an analytical person to do it. It's a very different mind-set, because they have to be very generative in their thinking and think chaotically, and they kind of go at it like that. And then there's more structured analysis that comes after that.
Q: Have you had to make any staffing shifts or changes because of the need for that type of person? We are hiring those people, if you can find them. They're very hard to find. We are trying to train internally people to start to think chaotically, if you can do that.
Q: Were those the same internal people who were doing the security before? We're definitely supplementing with more people that think that way. A lot of the security people we had were the guys that were locking the doors and windows -- you know, the places where people were supposed to come in. And now we're having to supplement with these people that understand thread analysis better and think about chimneys and plumbing.
Q: Where have you found them? Have you been hiring them from outside companies? Talking to young hackers? Yeah. We've talked to all of the above. And there are people that try to make a living in this space, consulting firms who do that. We do watch who's doing what and try to talk to them. There are people that kind of advertise themselves this way, and you talk to them.
Coming out of school sometimes, there are people that just have a huge interest in this space. It's actually an area of research that's not well explored yet today, and we're talking to the research community about it.
Q: How many people have you hired so far? For security only? I don't have an exact number. I don't know. It wouldn't be hundreds. It would be tens.
Q: What kind of courses did you put your engineers through? Was it a set course that everybody took? We evolved it. ... Windows went through first, and we took their learnings and we modified the course data. Michael Howard is the gentleman at Microsoft who wrote this book Writing Secure Code. He had some information and we combined that with some third-party training, and we kind of evolved it and continue to make it better.
So it's not a one-time thing. We'll be retraining people all the time. As you come into Microsoft, before you code, you're going to be taking this training. There's a lot of effort going into making sure that people really understand how to do it, because it's just a change in thought, and it just takes that when you're writing your code.
Q: What products have been most affected by the security reviews? That's hard to say. I don't know the answer, honestly. We're still kind of doing the analysis of what the impacts are. Windows went through first, and they're kind of still sifting through all of what they're going to do.
But I feel very positive about it. I really do believe that the work we're doing is going to make a big difference. I think there's more we can do, but I really feel good about what we've done. ... I think our security model is very sound. Our failing, if you will, is not thinking like a criminal mind and going back and going through areas that we had no idea were vulnerable and patching that up.
Q: Do you feel Microsoft gets a bad rap on the security front? I don't think we get a bad rap. ... There's a statistic out there of all the operating systems and all the vulnerabilities. ... It's statistically proven that we don't have more vulnerabilities than anybody else. It's just that we cover a huge installed base, and so when we are penetrated, it's a huge deal for customers. And we hate it. I mean, it makes me sick. It's just something that really bothers me. And we're going to do our best to plug it up.
Q: Have any products had delayed ship dates because of this security review? Yeah, probably on one level, all of them. You know, all the next releases will have some impact by this work, and probably all of our releases going forward will. I mean, the reality is we have to think about the game differently.
Q: What lessons have you learned as a result of the security review? I think the thing that pops up is, we call it code hygiene -- just the need to constantly be replacing code and upgrading it with the latest thinking and ideas. ... [With] each release, we go in, we rewrite a component of the code because it ages and it gets beat up over time because of maintenance.
I think what we're going to be doing more ... is being more rigorous about inventorying our code and making sure that we replace it on a more timely basis so that we can get the latest thinking in it and the highest bar for quality.
I think it's not only Microsoft's challenge; I think it's an industrywide challenge. I think we can do a lot more about the quality of our software.