Microsofts Charney: Trustworthy Is Worthy

Q&A: Microsoft's security chief says that despite changes to patch management and other practices, the company's Trustworthy Computing program has scored impressive wins.

When Scott Charney joined Microsoft Corp. as the chief security strategist in April 2002, Trustworthy Computing, Microsofts security initiative, was still in its infancy, and many skeptics were questioning the companys true commitment to security. Now, the plan is nearly 2 years old, and while Charney has made a host of changes, few of the skeptics have gone away.

eWEEK Senior Editor Dennis Fisher met with Charney recently to discuss some of the latest changes in Trustworthy Computing and what the future holds for the initiative.

I know youre making changes to the way you release patches. Whats the reasoning behind that? Was it something customers were asking for?

Before we did this, we talked to a lot of large customers. It used to be that we released patches on an as-needed basis. But then customers told us that it would be easier if they knew when to expect them. So we said, "OK, well release on Wednesdays." So we did that for a while, and it worked. But then people told us that it became this weekly fire drill where they had to scramble to install a bunch of patches every Wednesday. So then we went and asked them if a monthly release schedule would work. And most of them said yes, but it wasnt unanimous. Some of our customers said they want the patches as soon as theyre ready, and they want to be the ones who decide when to install them.

Wouldnt releasing them once a month expose customers to more potential attacks than if you put the patches out right away or once a week?

Well, it turns out thats not the case. Our statistics show that even though the time between when the patch is released and when a worm like Blaster comes out is shrinking, the exploit is almost always released after the patch. Thats when theres a lot of attention around the vulnerability, not before the patch. There are very few times when a new exploit comes out, and we say, "Wow, didnt know about that one."

Does the monthly schedule cause more of a backlog in terms of testing and installing patches?

Not really. I thought it would, too. To me, its intuitive that if five patches come out, youd test one, then install it, then test another and install that one. So I thought that you could be vulnerable to attacks on one vulnerability while youre dealing with the patch for another one. But our customers said that they test them all in parallel and install them all at the same time.

Whenever we talk about patches, the issue of software liability comes up. Does the prospect that you could eventually be held liable for flawed software scare Microsoft?

I dont know because Im not convinced that product liability is the right model for software. Its not the same as a car. With a car, if I get in and run someone over with it, no one sues the manufacturer. But people want to hold us liable if someone breaks into a computer through some flaw in our software. The difference is that breaking into the PC requires some intervening criminal act by a third party. And thats not typically covered by product liability law.

The main goal of Trustworthy Computing is to fix these problems and produce software with fewer vulnerabilities. How satisfied are you with the progress of TC so far?

Im pleased. Were making progress. The security pushes are working, but we still have work to do. In Windows Server 2003, I think weve issued nine security bulletins. Is nine too many? Absolutely. But were making progress. The main focus internally right now is looking for ways to apply the defense-in-depth strategy. We want to encircle the OS in several layers of defense, with things like anti-virus, firewalls, behavior blocking. Were going to beef up the [Internet Connection Firewall] in XP. There are still things to do.

Would behavior blocking be something Microsoft would build or bring in from the outside?

Could be either one. That kind of method is still evolving, but its something we need to spend a lot of time on. Wheres the state of the art right now? Thats always evolving. But the ability to control what code executes is huge.

Which obviously ties in with the Next-Generation Secure Computing Base.

There are some parallels there. But NGSCB is much more dependent on hardware and also needs a lot of support from other vendors. But that also depends on people buying new machines, so the adoption cycle before we really see some useful applications is several years down the road. Our first priority with NGSCB is to find a better acronym.