• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security Professional - Stephen Toulouse

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Thu Dec 15, 2005 11:02 pm    Post subject: Interview with a security Professional - Stephen Toulouse Reply with quote

In our continuing series of "Interview with a security professional" we are pleased to have Stephen Toulouse, Senior Product Manager, Security Business Unit of Microsoft Corp.


Question

Microsoft lately made a great move in my opinion by organizing the “Blue Hat” event. It was remarked by Dan Kaminsky that he was impressed that so many executives had such a grasp of computer security. That really is a major accomplishment, what did Microsoft do to in order to ingrain such a grasp of computer security upon their executive corps?


Stephen's answer

For many years, members of the Microsoft security team have been attending security conferences around the world. We learned that fostering an open dialogue with the security researcher community was an important element in Microsoft’s effort to help protect customers. Through the many different engagements, our team has come to realize that we at Microsoft have more in common with this community than many would originally believe. For the most part, we all share the common goal of helping keep customers safe.

Today, you can find Microsoft representatives at more than 30 security conferences worldwide each year. Through these interactions, we have come to recognize the unique perspective that this community can offer to Microsoft developers. This community consists of more than just vulnerability finders, but also includes individuals who are contributing to the research and thought leadership in areas like cryptography, network design, or intrusion prevention. These contributions can have a direct positive result on the overall security of our customers, and we want to learn everything we can from this community.

That’s why we have events like Blue Hat. Blue Hat is an internal event at Microsoft in which outside security researchers are brought in to share their knowledge and expertise of the security threat environment, which helps Microsoft improve the security of our software and development methodologies. This gives executives an opportunity to engage with security researchers directly and get feedback first-hand about how to improve the security of Microsoft products.

Question

Microsoft gets repeatedly slammed for shoddy coding. The reality is though that with so many millions of lines of code it is inevitable that you will have buffer overflow, format strings, and other issues. Do you feel that Microsoft is unjustifiably being bashed for their coding practices?


Stephen's answer

The important thing to remember is that no software is 100% secure. All software contains bugs and some bugs result in security vulnerabilities. Linux users have to update their software. Apple users have to update their software. What we’re focusing on for our customers is working to reduce the number of security vulnerabilities that ship in our products. And we’re making progress. Certainly, we’re not done, and we will continue to work to make our software more secure. It’s clear when you look at the security improvements in Windows Server 2003 and Windows XP Service Pack 2 that our focus on providing greater defense in depth and the ongoing work across the company is helping to deliver on Microsoft’s vision of Trustworthy Computing. Those products have more secure default settings, more advanced security technologies like the Windows Firewall, and have had far fewer security vulnerabilities than previous products.

That’s a direct result of our work to provide a more secure computing experience. We began security pushes and training for our engineers almost three years ago as part of our Trustworthy Computing Initiative. Since then, we have retrained most of our developers by providing them with enhanced tools and education on secure development practices. Incorporating our learnings over the last two years, Microsoft’s internal Security Development Lifecycle (SDL) describes the ways that Microsoft is modifying its software development processes to better accommodate security best practices and achieve measurably improved security. We’ve used the SDL on many products, including Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. In fact, Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year.

Microsoft requires internal use of the SDL for any product commonly used or deployed within an enterprise, any product that that regularly stores, processes, or communicates financial or other sensitive customer information, and any product that regularly touches or listens on the Internet.

When we hear of people talking about the quality of our code, we see that as feedback and work to take as many opportunities as possible to do more to help secure customers.

Question

Microsoft has made great inroads in regards to secure coding. IIS 6 is a prime example of it. Was this largely due to Microsoft contracting out code audits to some of the high profile names in the security industry, or also to better in house development as well?


Stephen's answer

It’s both. As part of the Trustworthy Computing initiative, we’ve made a significant effort to improve the security and reliability of the products. Internet Information Services (IIS) 6.0, included in all versions of Microsoft Windows Server 2003, has been extensively reengineered to provide better security, increased reliability, and improved performance.

IIS6 of course is a part of Windows Server 2003, which was the first operating system released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63% fewer vulnerabilities in the first year. IIS6 is an example of a technology that helped make this software more secure. In the two years following its release, Microsoft has issued one security bulletin affecting the Web server, and this was in a component (WebDAV) that is not installed by default.

While the samples of security vulnerabilities are still small and the time periods are limited, these results provide evidence that the SDL is effective. Microsoft will continue to monitor the rates of vulnerabilities in Windows Server 2003 and the Exchange Server and SQL Server service packs to see if the early trends continue.

But also, we work to incorporate the absolute latest understanding of security threats and trends into the Security Development Lifecycle process. Establishing ongoing relationships with responsible researchers contributes to this significantly. The expertise and insight that security researchers provide Microsoft plays an important role in analyzing vulnerabilities and developing security updates, as well as contributing to the development of better quality code.

Question

I once dealt with the Microsoft Security response center over a vulnerability that I had found. Though we had a disagreement over part of it (the vulnerability), it was taken seriously enough by them that I ended up having a phone conference with Ed Mulholland and one of the main developers for the product. Do you think though that given Microsoft’s size, and wealth that reported security issues should be resolved quicker?


Stephen's answer

Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.

Question

Microsoft in reality sells solutions, not security products in, and of themselves. Do you feel that people though don’t grasp this distinction? After all you don’t market your products as security solutions, but rather as business solutions.


Stephen's answer

We’re committed to delivering software services and best practices that together will help protect customers’ systems so they can fully leverage the benefits of technology and the Internet with the confidence that their systems are protected. When it comes to security, Microsoft’s focus is really in developing trust in the platform. Since the Trustworthy Computing initiative was introduced in early 2002, We’ve been working wholeheartedly to address security issues within our products and the industry. Microsoft has made a number of advances since then, and will continue to do so in the future. Within our focus on technology investments, we’re taking a “defense-in-depth” approach to protection and aligning around three core pillars: Fundamentals, Threat and Vulnerability Mitigation and Identity and Access Control.

Our end goal is to make sure our customers have trust in computing whether they are a home PC user making online purchases or an IT administrator managing access to the corporate network. All of our investments are made with an eye towards our defense in depth approach and are aligned with the three core pillars that help protect customers of all sizes.

Question

If someone were interested in a future position in the Microsoft security response center, what skills would you advise them to learn?


Stephen's answer

We’re always looking for people passionate about security and who have a focus on protecting customers. While it is Microsoft’s policy not to comment on recruiting, we can tell you that there are several specially focused teams that work in concert with the Microsoft Security Response Center to quickly mobilize to investigate, fix and learn from security vulnerabilities. The members of the MSRC work with the security community and internal experts while constantly monitoring secure@microsoft.com to learn about potential security issues, and then triaging and coordinating all security response activity.

Designated product-specific security experts investigate the scope and impact of a threat on the affected product. The Secure Windows Initiative team evaluates the overall impact of the threat to determine its potential impact on other Microsoft products. Product Support Services, Security works to ensure that customers have timely and prescriptive information so that remediation can be deployed as soon as possible. The Security Engineering Strategy team works internally to prevent the error from occurring in the future and to learn how defense in depth measures can be built into new products to protect against similar threats. The Security Technology Unit works to ensure that Microsoft is providing the security products and services to protect customers from contemporary threats. The Trustworthy Computing team ensures that Microsoft is delivering on the TWC vision and works with the industry to improve the security of internet ecosystem. Law enforcement worldwide, through information and technical expertise, mobilizes to identify and hold responsible malicious users who break the law by engaging in malicious activity that threatens our customers.

So as you can see there are several different teams that invest time and expertise into security response processes, requiring a variety of skills and talents. But there’s one thing in common among them all: working to protect customers.

Question

With many people agreeing that Microsoft is making a genuine effort to get better as it regards their products security, what do you think Microsoft still needs to work on?


Stephen's answer

While we have made significant progress towards helping to protect our customers and the industry from contemporary threats, we absolutely recognize that there is still work to be done. Our approach to security requires continued technology investment from the industry and customers, prescriptive guidance, and industry leadership through partnership, policy and initiatives.

Question

What top five quick pieces of advice would you give a medium to large size corporate network in order to help them secure their Microsoft centric networks?


Stephen's answer

Midsize companies are typically concerned about the same security issues as larger firms, though midsize companies have fewer resources to deal with the problem. This makes it increasingly important for the security products used by midsize companies to help protect against current and emerging malware threats, report information that helps administrators to effectively focus resources and build upon existing technology to help maximize the value of existing investments.

Microsoft recommends that all customers follow the three steps outlined in the Protect Your PC guidance to help protect themselves from security threats. More information can be found here: http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx.

In addition, we encourage our enterprise customers to follow the guidance outlined by Microsoft to help keep your business secure. More information can be found here: http://www.microsoft.com/midsizebusiness/security/virusprotection.mspx.

We recognize that many of our customers have varying network structures and security configurations and so encourage all customers to evaluate this guidance based on their individual needs. Additional guidance for enterprise customers is available here: http://www.microsoft.com/technet/security/default.mspx.

Question

Do you have any parting words you would like to share with our members?


Stephen's answer

We would just like to continue to encourage all customers to visit www.microsoft.com/security to stay informed and up to date on Microsoft’s latest efforts to ensure customers are secure and protected from contemporary security threats.

This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.


Last edited by alt.don on Sat Jan 14, 2006 5:23 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Sat Dec 17, 2005 12:57 am    Post subject: Reply with quote

Another good interview there Don, however in my opinion it didn't seem as good as some of the others. Maybe it's just the way I read it, but there seemed to be less and less information given in answering the questions as the interview progressed. The most obvious example of this would be question #6 re skills to learn. In response to this Steven just replied that they do not discuss recruiting, and then explained how security at Microsoft is handled. Possibly useful information, but didn't really live up to my expected answer.

It was a good interview though, and gave another insight into the community at large. I think this is interview #9 now and I can imagine that they require a lot of time to organise and think of the questions - so I would like to send a hearty thanks for the effort you put into these. I find them very useful and informative, and have learnt about areas that are not my speciality. Cheers!

Martin
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sat Dec 17, 2005 1:29 am    Post subject: Reply with quote

Hi Martin,

Many thanks for the kind words. Indeed a good deal of time and thought go into the questions, as we don't want the interviews to become repetitive. As to Stephen's answers......well I think we need to bear in mind that they needed to be vetted by the MS handlers I imagine.

Cheers,

Don
Back to top
View user's profile Send private message Visit poster's website
Cass
Lurker
Lurker


Joined: 14 Aug 2003
Posts: 14
Location: Scotland

Offline

PostPosted: Sat Dec 17, 2005 4:19 am    Post subject: Reply with quote

Thats the impression i got .. MS had wrote this article to suit ... not as revelaing as the others ill have to agree ... thought still nice work getting MS to talk to us .. even though im sure they censored it Wink

Cheers

Cass
Back to top
View user's profile Send private message
onoski
Just Arrived
Just Arrived


Joined: 30 Nov 2005
Posts: 2
Location: London UK

Offline

PostPosted: Tue Dec 20, 2005 12:17 am    Post subject: At least he spoke the truth Reply with quote

Nice interview Don and keep up the excellent work. I think Stephen was right as there is no software that is 100% bug free security wise. It is how the system administrator fends the software through continued patch updates and firewall configurations that are not gimmicks that counts as well. Yes, am not employed by Microsoft either Very Happy

I would imagine if MS$ is bug free what most of us in the IT career field would be doing on this site or better still might not even be in a IT focus role. Cheerio.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register