Charney filled his speech with anecdotes and one-liners that kept the audience rapt as he drove home his point that security is a joint effort between the industry and users. "Attackers pick low-hanging fruit," he said. "We cannot just rely on the government for public safety; a lot of the responsibility falls on us."In short, Charney said playing on the old adage, when the Internet is involved: "An ounce of prevention is worth a ton of cure." For instance, Charney said Microsoft needed new patch management tools so he created a patch management working group and "came up with commandments of patch management. And by the end of the year instead of eight installers well have two: one for operating systems and one for applications." Charney said the issue of security needs to be implemented at the early stages of the development process. The .Net Framework 1.0 led the cause and debuted code access security and the .Net Framework 1.1 build on the Trustworthy Computing foundation, he said. Charney said Microsofts strategy is to make its products secure by design, secure by default and secure by deployment. To that end, Microsoft has had more than 2,500 developers doing security testing, including hiring outside "penetration testers" to try to break systems. In addition, Microsoft now offers 60 percent less attack surface than on previous versions of the operating system and with Windows Server 2003, more than 20 services have been changed to be off by default. The tenets of Trustworthy Computing at Microsoft include security, privacy, reliability and business integrity. And Charney admonishes his charges to "protect the CIA: confidentiality, integrity and availability."
Charney said the current situation is full of opportunity for hackers and intruders. Some statistics he included were that there will be 14 billion devices in use by 2010, 35 million users by 2005, and a 65 percent increase in Web sites. Yet, he said, there are about 90 percent detected security breaches, 85 percent detected computer viruses, and 95 percent of all breaches are avoidable with an alternative configuration.