Microsoft no longer a 'laughingstock' of security, Charney says

Its Trustworthy Computing initiative has made it a model for others

As corporate vice president of Trustworthy Computing (TwC) at Microsoft, Scott Charney is among those at the helm of the company's long-standing efforts to improve the security of its products. In an interview with Computerworld, Charney -- a former federal prosecutor of computer crimes and an assistant district attorney in the Bronx before that -- talked about TwC, the changing threat environment and what security fears keep him awake at night.

This is part 1 if a two-part interview. Part 2 will be posted on Friday.

Does it frustrate you that Microsoft still gets a pretty bad rap on security despite some of the initiatives the company has taken in recent years?

It depends on what the criticism is. The other vendors are doing things but, to be blunt, I don't think any vendor has done as much as we have done. In fairness, a lot of people have given us credit for that. We used to be the laughingstock of security, and now you read all sorts of articles and analysts' reviews saying you should follow Microsoft's lead. The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the Security Development Lifecycle (SDL) is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug. But let's get realistic for a minute: It's not a realistic goal. Sometimes you get these questions, where people say, "You have invested all this money and effort and you talk about the SDL, and you are still not perfect," and I don't think that's a fair criticism. Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.

It's been close to six years since Microsoft launched its Trustworthy Computing initiative. What has its biggest contribution been?

The biggest contribution in the security space has been the SDL. We have processes in place now where we build documented-threat models at design time. And as you build and architect code, you are always mitigating against these threat models. The threat models get updated during the course of development to keep them current. At the back end of the process, we have a final security review where we look at the product and all the bug scrubs and all the work we have done to see if the product is ready to ship from a security perspective. This, I think, is the biggest change. If you look at our vulnerabilities year over year in product after product, our vulnerability counts are going down dramatically as our products get better.

Vista is the first operating system that's gone through the SDL process from the beginning. Are you satisfied with the impact SDL had on Vista security?

Yes and no. First of all, I am satisfied in the sense that the vulnerability counts are down for Vista over the comparable periods in XP. We also know that vulnerabilities won't get to zero with complex code, written by human beings and all of that. So the question is where is that sweet spot and have we hit it yet? And my sense is -- not yet. We need better-automated tools to find bugs, which are a big issue for the entire industry. We have lots of tools, but I would not say that tool sets have reached complete maturity and that we and the industry have done the best that we can do. Human code reviews we do a lot of, and we do find things, and that's great. When you throw humans at the problem, they spot certain stuff and they miss certain stuff. But they don't scale well as code bases get really large. So I think the tools can get better, and I think we can continue to get better. I think Vista overall continues the progress, but we need to continue to focus on automated tools.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?