Microsoft Corp. has never enjoyed a stellar reputation when it comes to security, and its products are favorite targets for sophisticated crackers and script kiddies alike. Recently, the Redmond, Wash., company has made several announcements about initiatives and strategies aimed at improving its security posture. At its Trusted Computing 2001 forum in Mountain View, Calif., last week, company officials introduced a plan to design a standard for the way that security vulnerabilities are reported and handled. The plan drew plenty of criticism as well as its fair share of praise. Senior Writer Dennis Fisher caught up with Scott Culp, manager of the Microsoft Security Response Center and the companys main advocate for the standard, to talk about the plan and what it will take for it to succeed.
eWEEK: Why did Microsoft decide to start this process now? What was the impetus behind it?
Culp: Were rapidly reaching a crisis point with respect to security of the Internet. [The Internet] is seriously threatened by the security environment, and one element of that is how vulnerabilities are handled.
eWEEK: Theres been some talk of the government stepping in and regulating the Internet. Do you think thats likely?
Culp: I think its very likely, especially in todays environment. The prospect is very good if we dont take a reasonable approach to this. If we as a security community dont clean up our act, someone will clean it up for us. We really, really dont want to see that.
eWEEK: Have you been in contact with the government at all about potential regulations regarding security?
Culp: I havent been contacted. But its clear that regulation will be on its way if we as an industry dont address the problem.
eWEEK: What do you think it would take to improve things?
Culp: The big impediment is that theres no industry standard for vulnerability reporting. How do you contact the vendor? Whats the vendors responsibility? We would love to see the industry as a whole develop a process that can be embraced by the majority of the community.
eWEEK: What do you say to the people who believe Microsoft wants to close this process in order to limit its exposure when security problems come up?
Culp: Its absolutely untrue. Thats sheer speculation. We know two things: Theres a problem, and we dont have an answer. We didnt come here with a solution. The process would have to be open for public discussion. A closed process wouldnt be accepted. We have no designs for a closed process.
eWEEK: How long do you think the process of developing a standard might take?
Culp: I dont know. Were very early on the timeline right now. I dont know how difficult it will be to bring all of the people and groups together to get it done. Its going to have to accommodate the needs of different communities.
eWEEK: What kind of role will you and Microsoft play in the standards process?
Culp: Somebody has to lead. Our role is to catalyze people into working for a solution. This is one aspect of solving the problem. There are axes of the problem that are ours alone to solve, and we recognize that.
eWEEK: How difficult do you think it will be to get other vendors to participate? Will pressure from their peers be enough?
Culp: I think customer pressure will be more helpful. It could get to the point where vendors can talk about it as a measure of product quality. It could become a product differentiator and a part of the customer buying process.