Microsoft no longer a 'laughingstock' of security, Charney says

Its Trustworthy Computing initiative has made it a model for others

As corporate vice president of Trustworthy Computing (TwC) at Microsoft, Scott Charney is among those at the helm of the company's long-standing efforts to improve the security of its products. In an interview with Computerworld, Charney -- a former federal prosecutor of computer crimes and an assistant district attorney in the Bronx before that -- talked about TwC, the changing threat environment and what security fears keep him awake at night.

This is part 1 if a two-part interview. Part 2 will be posted on Friday.

Does it frustrate you that Microsoft still gets a pretty bad rap on security despite some of the initiatives the company has taken in recent years?

It depends on what the criticism is. The other vendors are doing things but, to be blunt, I don't think any vendor has done as much as we have done. In fairness, a lot of people have given us credit for that. We used to be the laughingstock of security, and now you read all sorts of articles and analysts' reviews saying you should follow Microsoft's lead. The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the Security Development Lifecycle (SDL) is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug. But let's get realistic for a minute: It's not a realistic goal. Sometimes you get these questions, where people say, "You have invested all this money and effort and you talk about the SDL, and you are still not perfect," and I don't think that's a fair criticism. Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.

It's been close to six years since Microsoft launched its Trustworthy Computing initiative. What has its biggest contribution been?

The biggest contribution in the security space has been the SDL. We have processes in place now where we build documented-threat models at design time. And as you build and architect code, you are always mitigating against these threat models. The threat models get updated during the course of development to keep them current. At the back end of the process, we have a final security review where we look at the product and all the bug scrubs and all the work we have done to see if the product is ready to ship from a security perspective. This, I think, is the biggest change. If you look at our vulnerabilities year over year in product after product, our vulnerability counts are going down dramatically as our products get better.

Vista is the first operating system that's gone through the SDL process from the beginning. Are you satisfied with the impact SDL had on Vista security?

Yes and no. First of all, I am satisfied in the sense that the vulnerability counts are down for Vista over the comparable periods in XP. We also know that vulnerabilities won't get to zero with complex code, written by human beings and all of that. So the question is where is that sweet spot and have we hit it yet? And my sense is -- not yet. We need better-automated tools to find bugs, which are a big issue for the entire industry. We have lots of tools, but I would not say that tool sets have reached complete maturity and that we and the industry have done the best that we can do. Human code reviews we do a lot of, and we do find things, and that's great. When you throw humans at the problem, they spot certain stuff and they miss certain stuff. But they don't scale well as code bases get really large. So I think the tools can get better, and I think we can continue to get better. I think Vista overall continues the progress, but we need to continue to focus on automated tools.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?