Scott Culp, the man responsible for Microsoft Corp.s security response efforts, has left his post and moved to a new position within the companys Security Strategy Group.
As manager of the Microsoft Security Response Center, Culp has been the public face of the software giants efforts to respond to security problems in its products and improve its image within the security community. During his five years in the MSRC, Culp played a large role in the development of Microsofts procedure for handling vulnerabilities, dealing with security researchers and getting patches and information out to customers.
In his new role as a program manager for security strategies, Culp will be working on security projects across the companys product portfolio. Hell be working under Scott Charney, the chief security strategist at Microsoft, based in Redmond, Wash.
“Im proud to [have] played a role in building a high-quality program for responding to security issues in Microsoft products and helping our customers keep their systems secure,” Culp said. “With Microsofts increased focus on improving the security of its products through our Trustworthy Computing Initiative, I now am ready to try something new and and put my security experience to use in a new role at the company.”
Steve Lipner, director of security assurance, will still be responsible for the overall workings of the MSRC.
Culp was the driving force behind Microsofts current attitude toward the responsible handling of software vulnerabilities and the researchers and crackers who find them. In a widely read article he posted to Microsofts security Web site in the fall of 2001, Culp denounced what he saw as the irresponsible publication by some in the security community of vulnerability data and exploit code before vendors have a chance to release patches for the issues.
Page Two
: Microsoft Security Guru Leaves Post”>
“Its high time the security community stopped providing blueprints for building these [worms and viruses]. And its high time computer users insisted that the security community live up to its obligation to protect them,” Culp wrote in the article. “We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it. If we cant eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when theyre found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice thats best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.”
The paper drew strong reactions from people on both sides of the debate, with some researchers dismissing it as self-serving rhetoric designed to scare people away from looking for flaws in Microsoft products. Still, many in the security community say Culp make the most of a difficult, often thankless job.
“Probably the most sensible thing Microsoft has done recently on the security front is to convince Scott Culp to move over to the relatively new group known as the Trustworthy Computing Initiative. Scott has a rare combination of skills for the security world; hes not a programmer, and he is able to speak to people without making them hate him,” said Russ Cooper, surgeon general of TruSecure Corp., in Herndon, Va., and moderator of the NTBugTraq mailing list, who has often been at odds with Culp on security issues. “Combined, Scott has been very effective at gaining consensus within Microsoft on how to better handle security issues when they arise, and over the past four years has been very influential in effecting changes to the mindsets of product managers—making them appreciate the value of doing this correctly. In his new position Scott will, hopefully, have more time and status to effect further changes. Now if we can only get him to go after those folks in Windows Update more fervently.”