Q&A: Don't judge Microsoft security by the number of Patch Tuesday bulletins

New processes have made products more secure, security chief says

Microsoft Corp. pours more money into software security than any other major vendor both because it has to and because it can. Yet for all the investments in security, the number of vulnerabilities discovered in the company's products has increased over the years, prompting questions over whether the company has reached the limits of its ability to debug software.

In an interview with Computerworld , Steve Lipner, senior director of security engineering at Microsoft's Trustworthy Computing Group, refuted that suggestion and insisted that the company's Security Development Lifecycle (SDL) approach is working as it was meant to. He said SDL has reduced the number of flaws in Microsoft's newer products while also making them harder to exploit.

Microsoft has invested a lot in security, but the number of flaws being discovered in its products has only been increasing. Why? There are a couple of things that are going on. Obviously, one of them is that security attacks and the security research environment are changing. Security vulnerabilities are actually worth money to the people who find them, so that intensifies the search for vulnerabilities in the outside world.

The second factor is that the SDL (Security Development Lifecycle) is not just about reducing the number of vulnerabilities but also about reducing the severity of the vulnerabilities through things like address space randomization and non-executable memory. We are making it harder to exploit vulnerabilities especially on the newer products. [But] we haven't yet taken the step of reducing the severity [rating] of vulnerabilities on our newer products even if it is too darn hard to exploit them.

Why haven't you done that? We are very conservative about severity ratings. Actually, I am sort of the guilty party who developed both of the severity rating systems we've used over the last 10 years at Microsoft. We haven't yet done any update to the severity rating system to reflect difficulty of exploitation because we want to be very sure that there isn't some way, somehow, that someone could still write a straightforward exploit and prove us wrong.

Some are suggesting that Microsoft might have reached an inherent limit in its ability to debug software with its SDL process. What's your response? Thirty years ago, I used to believe that you could reach perfection. Now, I don't think you are going to get that perfection. But we still have a lot of things that we are working on internal to Microsoft, internal to the security science team in terms of new techniques, new tools that we can apply to detect chances for vulnerabilities and remove them. The challenge for the science team is to make those techniques robust in the sense of low false-positive rates. There may be a theoretical limit at some point but we are not close to it yet. We are still innovating and we are still devising new techniques that we add to the SDL.

What's the SDL's biggest benefit been for Microsoft? I think the biggest gain has been the reduction in the prevalence of exploitable vulnerabilities [in Microsoft's newer products]. It really is the combination of making the code more secure and making the remaining vulnerabilities harder to exploit because the attack surface has been reduced.

Someone looking at the number of bulletins being issued by Microsoft these days would find it hard to believe that the number of exploitable vulnerabilities has actually been reduced. That is something you can fairly say we ought to do more with. Today, if a vulnerability is present in Windows 7 but is mitigated by address space randomization and data execute protection we are still going to issue a bulletin. Our practice today is not even to reduce the severity [of the vulnerability] based on those mitigations. So you can say we need to do a better job of analyzing the impact of the mitigations, but we are continuing to progress on that front.

So, the message is don't judge the SDL by the number of flaws being disclosed? Don't evaluate the SDL just by the gross number of bulletins that are being issued month to month. From our perspective, we are very confident that we have made a lot of progress over the past seven-plus years since we started the Windows security pushes.

But we are not done yet, and we are continuing to improve the SDL. We are continuing to innovate on security science to try and make our products better. There are certainly no inherent limits we have encountered yet.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?