As corporate vice president of Trustworthy Computing (TwC) at Microsoft, Scott Charney is among those at the helm of the company's long-standing efforts to improve the security of its products. In an interview with Computerworld, Charney -- a former federal prosecutor of computer crimes and an assistant district attorney in the Bronx before that -- talked about TwC, the changing threat environment and what security fears keep him awake at night.
This is part 1 if a two-part interview. Part 2 will be posted on Friday.
Does it frustrate you that Microsoft still gets a pretty bad rap on security despite some of the initiatives the company has taken in recent years?
It depends on what the criticism is. The other vendors are doing things but, to be blunt, I don't think any vendor has done as much as we have done. In fairness, a lot of people have given us credit for that. We used to be the laughingstock of security, and now you read all sorts of articles and analysts' reviews saying you should follow Microsoft's lead. The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the Security Development Lifecycle (SDL) is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug. But let's get realistic for a minute: It's not a realistic goal. Sometimes you get these questions, where people say, "You have invested all this money and effort and you talk about the SDL, and you are still not perfect," and I don't think that's a fair criticism. Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
It's been close to six years since Microsoft launched its Trustworthy Computing initiative. What has its biggest contribution been?
The biggest contribution in the security space has been the SDL. We have processes in place now where we build documented-threat models at design time. And as you build and architect code, you are always mitigating against these threat models. The threat models get updated during the course of development to keep them current. At the back end of the process, we have a final security review where we look at the product and all the bug scrubs and all the work we have done to see if the product is ready to ship from a security perspective. This, I think, is the biggest change. If you look at our vulnerabilities year over year in product after product, our vulnerability counts are going down dramatically as our products get better.
Vista is the first operating system that's gone through the SDL process from the beginning. Are you satisfied with the impact SDL had on Vista security?
Yes and no. First of all, I am satisfied in the sense that the vulnerability counts are down for Vista over the comparable periods in XP. We also know that vulnerabilities won't get to zero with complex code, written by human beings and all of that. So the question is where is that sweet spot and have we hit it yet? And my sense is -- not yet. We need better-automated tools to find bugs, which are a big issue for the entire industry. We have lots of tools, but I would not say that tool sets have reached complete maturity and that we and the industry have done the best that we can do. Human code reviews we do a lot of, and we do find things, and that's great. When you throw humans at the problem, they spot certain stuff and they miss certain stuff. But they don't scale well as code bases get really large. So I think the tools can get better, and I think we can continue to get better. I think Vista overall continues the progress, but we need to continue to focus on automated tools.