QUESTION & ANSWER

Microsoft's new security chief: 'We've come a long way'

By Eileen Kennedy, News Writer and Margie Semilof, News Director 26 Jun 2006 | SearchWinITcom

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A corporate vice president at Microsoft, Fathi is replacing Mike Nash, Microsoft's high-profile security guru who left on sabbatical. Although storage, file protocols and high-availability clustering had been Fathi's focal points when he was a general manager of the Windows Server division, he said he is relishing this new challenge. Fathi was at TechEd in Boston last week talking with SearchWinIT.com about how he will put his imprint on Microsoft security.

Ben Fathi

How did you find your way from storage products to the top of the Trustworthy Computing Initiative?
Ben Fathi: Last year I decided that all of the projects I'd started in the last eight years in storage were pretty much over. I talked to Jim Allchin [Microsoft's co-president of the platforms and services division] and said to him that this might be a good time for a change. Roughly at the same time, Mike Nash [former corporate vice president of the Security Technology Unit] was thinking the same thing about his new role. I went on sabbatical, came back, and Jim said, 'How about security? We've got a really interesting, challenging situation that you could jump in and help with,' and I said OK, sounds interesting.

Mike Nash took so many of those early arrows around security. How do you think your tenure in this job will differ from his?
Fathi: If you look at where we were four years ago and where we are today, we've certainly turned the corner. We've really come a long way. One of the things that Mike did really well was delivering Microsoft's message on security and being the visible face of security in the industry and with the press. I love getting my hands dirty, getting involved with the designs and looking forward to what we want to do. I'll be very hands-on with the design and development of future security-related stuff.

But will you still have some public profile with the security community?
Fathi: We have webcasts. We have community chats. We have participation in Black Hat, and [we're] bringing in the Blue Hat conference. None of that is going to change. What I do want to do is get some of the people who work with me -- like Scott Charney, vice president of Trustworthy Computing -- more involved. I have people working for me who run the various development groups. I'm going to give them the opportunity to step up and do some of these community chats [and other activities].

Can you secure software as a service in the same way you secure desktop software? How do you do that?
Fathi: There're a couple of ways. We believe in SDL, first and foremost -- the Security Development Lifecycle. We have people assigned to work with each of the development teams to look at threat modeling. If you start earlier in the development cycle, you do have the time to do that, to apply the security guidelines to it.

We're not only looking at providing a secure platform but providing defense and depth to our products. That's how you provide things like fixes to vulnerabilities through a service. Look at the automatic updates that everyone has turned on today. That's a service to us. We're updating it every month. We're sending bug fixes down. We're sending security improvements to our components so we're already in this world. We're already taking this process to the next step. And this just will evolve as we go to a services environment.

Are you happy with the Patch Tuesday process? Any changes in the works?
Fathi: I am happy with Patch Tuesday. The feedback [from customers] we have is that they like having a regular monthly set of patches – knowing exactly when it comes, having the communication around -- that a week earlier we send out an advisory. Overall, I think we've come a long way from a couple of years ago where it was really ad hoc.

This article originally appeared on SearchWinIT.com.

Tags: Software Development Methodology,  Security Industry Market Trends, Predictions and Forecasts,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Business Management: Security Support and Executive Communications Aligning network security with business priorities RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model Service-focused security offers best value to organization Cybersecurity Act of 2009: Power grab, or necessary step? Information security skills must include communication, expert says Mimic the IBM approach to security at RSA

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary