Yet, critics, particularly some in the Unix and Java arenas, have taken potshots at Microsofts history of security glitches. "How do we know if were going to be effective?" Charney asked. "Well, its still early with Windows Server 2003, but two measures I will look at are: How many [security] bulletins get released and how severe are the bulletins?"Security is not something that just seeps into the culture of an organization, and Charney said he has had to work at making it a priority at Microsoft. "We have to shift the cultural outlook of the company," he said. "We have a breakfast series on Trustworthy Computing, and weve been able to fill the room with developers." It did not hurt his cause that the security edict came straight from the top of the company: Microsoft Chairman Bill Gates. As for developers and seeding security into the development process, Charney said, "We learned it has to enter into the developers mindset before they start coding. You need a quality assurance process around security. We want to take tools and foster a culture of good security-based coding." Threat modeling and penetration testing are two ways to help ensure secure and high-quality code, he said. Yet, overlaying insecure applications on security-enabled platforms is no improvement, he said. "Ultimately, as we get to the next generation we want to get to trusted applications that look for trusted environments to run in," Charney said. Microsoft is looking to productize tools that detect buffer overruns. "We want to productize that and put it into Visual Studio," he said. On the spam front, Charney said he believes its going to take a combination of technology, industry cooperation, anti-spam legislation on a national level and an equally concerted effort globally to really tackle the problem.
To critics, Charney had this response: "You have every right to be critical, and our track record on security is nothing to write home about, but watch for the results" going forward. Microsoft announced Charney as its new chief security strategist in January 2002, and he took over the role in April 2002.