Page Two

By Darryl K. Taft  |  Posted 2003-06-03 Print this article Print

Yet, critics, particularly some in the Unix and Java arenas, have taken potshots at Microsofts history of security glitches. "How do we know if were going to be effective?" Charney asked. "Well, its still early with Windows Server 2003, but two measures I will look at are: How many [security] bulletins get released and how severe are the bulletins?"
To critics, Charney had this response: "You have every right to be critical, and our track record on security is nothing to write home about, but watch for the results" going forward. Microsoft announced Charney as its new chief security strategist in January 2002, and he took over the role in April 2002.
Security is not something that just seeps into the culture of an organization, and Charney said he has had to work at making it a priority at Microsoft. "We have to shift the cultural outlook of the company," he said. "We have a breakfast series on Trustworthy Computing, and weve been able to fill the room with developers." It did not hurt his cause that the security edict came straight from the top of the company: Microsoft Chairman Bill Gates. As for developers and seeding security into the development process, Charney said, "We learned it has to enter into the developers mindset before they start coding. You need a quality assurance process around security. We want to take tools and foster a culture of good security-based coding." Threat modeling and penetration testing are two ways to help ensure secure and high-quality code, he said. Yet, overlaying insecure applications on security-enabled platforms is no improvement, he said. "Ultimately, as we get to the next generation we want to get to trusted applications that look for trusted environments to run in," Charney said. Microsoft is looking to productize tools that detect buffer overruns. "We want to productize that and put it into Visual Studio," he said. On the spam front, Charney said he believes its going to take a combination of technology, industry cooperation, anti-spam legislation on a national level and an equally concerted effort globally to really tackle the problem.

Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel