• On BNET: 3 worst things about the iPhone 3G S
News.com special report:

Wardens of the Web

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

Microsoft's lessons from the desktop

By Joris Evers
Staff writer, CNET News.com
June 27, 2007, 4:00 AM PDT

Editors' note: This is part three of a four-day series examining the state and future of Web security.

Pete Boden wants people at Microsoft to think like criminals. That's why the company held its first "Blue Hat" meeting in 2005, which invited hackers onto the corporate campus for lectures and meetings intended to expose security employees to the mentality of digital intruders.

Although it has become a popular biannual event, Blue Hat can still be an unnerving experience at times as guest hackers occasionally break Microsoft products in front of the people who built them. But studying such simulated attacks--a process known as "threat modeling"--provides invaluable lessons in teaching developers how an application can be attacked and what the security controls should be.

"Often times, we find that developers are thinking like a developer or like a user," said Boden, senior director for MSN and Windows Live security at Microsoft.

That's the challenge facing Microsoft. Many company developers and executives believe that securing Web applications is no different from protecting PC desktop software, something the company has learned over the course of three decades. At the same time, Microsoft must acknowledge the crucial differences in pace and scale that are presenting some of the most difficult security challenges ever encountered in digital technology.

Photos: Leading Microsoft's security crew

For all its successes, Microsoft has in the past reacted slowly to industry change or has underestimated its impact. Case in point: back in the mid-1990s the company misjudged the significance of the Internet and Web-based computing. What followed has become equal parts lesson and legend, a call to arms from Bill Gates that ultimately sank arch rival Netscape Communications and set the course of Internet history. More recently, Gates and CEO Steve Ballmer have admitted to miscalculating the value of Web search and digital music, long after Google and Apple stole the show.

It is understandable, therefore, why Microsoft is determined not to fall behind in Web security. The key, according to many within the company and beyond, is not treating it like just another set of desktop bugs.

"The same rules apply. It is not a new science, it is a different environment to apply the same science," Boden said. However, he stresses, "We have to be very careful not to get complacent about saying we understand the problem, because it is going to change right in front of our eyes."

The 18-year company veteran understands why many at Microsoft cling to the notion that Web and desktop security are essentially the same. Although the types of threats change, Boden says desktop and server security lessons are equally valid when applied to online applications.

"There are pieces that are different," he said. "But the discipline of understanding what could break, how it could break, the impact of it breaking, how we protect it, how we respond to any event, those are fundamentally the same."

The main differences--and they are crucial--are speed and size. As Boden says, securing Web applications is all about scaling; if security doesn't scale, data could be at risk.

A year ago, Microsoft had about 30,000 servers in its data centers to support its online services. This year that's up to 80,000, and more growth is planned.

"The business stakes are enormous in this area," Boden said. "If we or anybody in this business violates the users' trust, then we're essentially out of the business."

Learning the hard way
If Microsoft veterans sometimes sound as if they've seen it all before, there's good reason: they've learned the hard way.

Five years ago, Microsoft's customers were getting hammered. That's when Gates launched his Trustworthy Computing initiative to make security a priority. Industry analysts have praised the effort, even though there are still plenty of vulnerabilities found in Microsoft software and attacks still occur.

Inside the MSN and Windows Live security offices, banners still work to remind employees of the importance of security, and a "Security Scorecard" keeps track of performance and ties into individual reviews.

Pete Boden

The regimented approach hasn't always been welcomed by the rank and file. Like human resources and IT staffs, the security department of any company is sometimes viewed like the internal affairs division within the police force--they're paid to keep an eye on you. The 55 members of the MSN and Windows Live security team set policies, assess risks and respond to security incidents.

Not surprisingly, initial efforts to reach out to other departments and employees were met with trepidation.

"We had a robotic image on a lot of our awareness campaign materials last year, and it portrayed a very stern, standoffish approach to the team," Boden said. "We went away from that, specifically because we want to build better relationships with the development teams."

Things are better now. Boden's department is engaged in an ongoing marketing campaign within the company, which includes hosting regular happy hours with local brews and chips and salsa.

"Redhook, Mac and Jack's, we're not short on beer here in the Northwest," Boden said.

Next page: With growth comes more risk



Add a Comment (Log in or register) (8 Comments)
  • prev
  • 1
  • next
Build it right
by MaLvaDo39 June 27, 2007 6:15 AM PDT
If Microsoft was a car company, they would have been sued
until they were left with nothing.

How can a consumer accept a car that is unstable, crashes, is a
magnet to viruses and allows break-ins from a poorly built
machine?

The only way is for Microsoft to start over and create a whole
new OS. Until then, the dark ages of computers continues for
most.

Many are already in the renaissance with their Macs.
Reply to this comment
Google wins out of the three reports
by n3td3v June 27, 2007 7:39 AM PDT
Google: Level headed report and level headed photos

Yahoo: Completely weird trying to put humor into security with drug-like tactics with cartoons and paranoia

Microsoft: They decided to have their own photographer and in the last photo http://news.com.com/2300-1002_3-6192282-3.html?tag=ne.gall.pg drink was seen within the Microsoft office

Who wins on a Cnet report level? Google.

In security and public relations, behind the scenes and ideals don't matter, this was a media and public relations face off, and out of that only Google came out best. The public don't care about cartoons, paranoia and other behind the scenes stuff, they want to hear stuff that is going to make them feel better as a consumer, but how you're better serving your employees.

Consumers wanted to hear about things that effect consumers, and the Google report and photographs done that, Yahoo and Microsoft failed to do that.

Funnily, Google are winning over consumers, something you've failed to beat in your cnet public relations, yet again Google stand out as #1, not only as the number one search company, the number one company online but the crown in public relations and giving the public what they want to hear in terms of cutting edge journalism.

Kudos to Joris Evers for the three reports.
Reply to this comment
Voted #5 Worst Job
by sbwinn June 27, 2007 9:07 AM PDT
Interestingly enough MS Security Grunt was recently voted #6 in
Popular Science's "Worst Jobs in Science 2007". It was right
between Coursework Carcass Preparer and Gravity Research
Subject. "Like wearing a big sign that reads 'Hack Me'".

http://tinyurl.com/2v9la9

I have to disagree with PopSci's analysis on one point --
Microsoft's products are not hacked for the challenge. They are
hacked to create bot nets that send spam, launch attacks, etc.
Zombie PCs are money makers for virus and worm writers.

Just like Plug and Play. . . only Microsoft could invent
Trustworthy Computing.
Reply to this comment
So what have we learned...
by wbenton June 28, 2007 5:06 PM PDT
We've learned that Microsoft has finally learned what it should have already known many many years ago.

However, just stating that they're aware and actually implementing it are two totally different things.

It's too late for them to implement such in Vista because it's just a bake-off of XP with extras.

To really implement what they're claiming properly, it must be done from the Ground Up meaning at least the next operating system after Vista at the earliest!

But can they really pull it off correctly remains to be seen?!?!

Walt
Reply to this comment
MS has a security director?
by oxtail01 June 30, 2007 12:11 AM PDT
Isn't listening to MS security director like having a robber guard your house?
Reply to this comment
(8 Comments)
  • prev
  • 1
  • next
CONTINUED: With growth comes more risk...
Page 1 | 2
advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET