In this exclusive video interview from RSA Conference 2011, Microsoft Corporate Vice President of Trustworthy Computing Scott Charney and SearchSecurity.com Senior Site Editor Eric B. Parizo discuss the state of Microsoft's Trustworthy Computing initiative in 2011, including the reasons why the software giant's products are getting more secure despite its record number of security bulletins in 2010, the top ways enterprises can take advantage of the improved security capabilities in Windows 7 and the case for Internet Explorer as the most secure browser available today.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Q&A: The state of the Microsoft Trustworthy Computing initiative in 2011
Eric Parizo: Hello. I am Eric Parizo, it is great to have you with us.
Joining us today is Scott Charney, Corporate Vice President for
Trustworthy Computing at Microsoft. Scott, thank you so much
for joining us today.
Scott Charney: Thank you for having me.
Eric Parizo: Microsoft released 106 security bulletins in 2010;
that is more than in any other previous year. What does that
say about the state of trustworthy computing at Microsoft?
Scott Charney: The reality is, of course, that as we have
worked to reduce vulnerabilities in code, there were two
things that continued to happen. One, is that the threat
model has become more advanced and because you have
more and more people probing now, and even some nation
states devoting resources to finding these vulnerabilities, it is
going to be challenging because of the point I made before, which is
you are not going to get vulnerabilities to zero. The second problem
is at the early days of ESDL, we removed big classes of
vulnerabilities, things like buffer over runs, we built good tools and
removed them. What you are finding then is after you pick low hanging
fruit, the things that remain can be more challenging to fix and more
complicated to fix. As a result of that, you need even more testing
because you have backward compatibility and other issues and so what
you are seeing is a couple of things. One, is it sometimes takes
longer to fix things because they are more complicated and two, as
the threat models become more advanced, you get an interesting
set of adversaries who are working very hard to find vulnerabilities
in code. That makes it very challenging.
Eric Parizo: Critics would say it is a sign that Microsoft software
is more insecure than ever before. How do you respond?
Scott Charney: You have to look generation over generation. If
you actually look at the bulletins and which products are affected,
our vulnerability accounts are dropping generation after generation.
There are two interesting things about this. One is, while the newer
products may be more secure, the customers are not always running the
newer products. It can be difficult to migrate from old platforms to
new platforms, so sometimes customers are not getting the benefit of
these newer technologies. The second thing is, working on still newer
technologies, which we have been talking about at RSA. We really need
a trusted boot path and you need to be able to create an environment
that is more secure than what we had before, we also have to do that
at the application layer. The identity meta system we have been
talking about, where people would have the greater confidence that
what they are receiving is from who they really think it is from,
those things are critically important, too. While our products are
getting more secure generation over generation, a lot of our customers
are still living with older pain.
Eric Parizo: The Verizon Business 2010 Data Breach Investigations Report
that went out last summer found that not a single data breach was caused
by what it called a passable vulnerability. As a result, should Microsoft and
should enterprises scale back on patch management efforts?
Scott Charney: No. I think we have to continue to patch. In fact,
notwithstanding that report, very often successful exploits occur
because of older products in unpatched machines. Bad guys will adapt
based on what the good guys are doing. If we left things unpatched,
then they would go to those unpatched machines. We do have an
obligation and a need to keep people patched and current, and we will
continue to do that.
Eric Parizo: Let us talk about Windows 7 for a minute. What are you
most pleased about, from a security perspective, with Windows 7, so
far, and where are the opportunities to improve?
Scott Charney: What pleases me most is that we are continuing to see
generation over generation benefits and security at two levels. One -
reduction and vulnerability. Two - better defense and depth. Things
like address space layer randomization and the move towards a more
trusted booting process, or of really healthy things. Those are the
things that give me a lot of hope for the future. There are still
things that we need to improve. TPMs are not ubiquitous. A lot of
people are moving to phones as their primary platform, and the
security of the phones is not what the security of the PC is, and we
still need an identity meta system to greatly increase security of
Eric Parizo: Data suggests that among organizations that have, or are,
implementing Windows 7, most of them have not taken advantage of the
opportunity to deploy desktop virtualization, a capability that is
built into the OS. From a security perspective, are enterprises
missing an opportunity there?
Scott Charney: Sometimes I think they are, and very often there are
security features in a product that are not used as religiously as we
would hope. There are certain things you can do that is built in the
product and it would be great; Sandboxing and virtualizations, is a
good security feature. BitLocker, turning on BitLocker for all of your
mobile devices is a really great thing to do when people,
unfortunately, sometimes lose their device, or have it stolen. It is
really important that customers embrace the security that exists in
the existing products as we continue to make it better.
Eric Parizo: A recent NSS Labs report showed that Microsoft Internet
Explorer 9 beta did a better job than any other browser when it comes
to blocking malware and malicious websites. Obviously, that was only
one test, but make the case why enterprises that have switched to a
non-Microsoft browser should take a look at IE 9.
Scott Charney: The most compelling case is that it is fairly clear
to most customers that for the last eight years Microsoft has been
really concentrated and focused on security, the implementation at the
security development life cycle. Our embrace of SD3s: secure by
design, secure in defaults, secure in deployment. I think people are
seeing the results. I know when I started in Microsoft eight years ago
I met a lot of customers who said, 'We are going to an alternative
platform because it is more secure.' The data didn't actually support
that, but it was widely believed to be true, and I almost never hear
that anymore. Our vulnerability counts have been dropped, patching
processes have gotten better, we have put in more defense in depth,
and I feel like we have done a good job, that the market is
Eric Parizo: What affect do you think competition from the Google
Chrome's and Mozilla’s of the world have done to foster greater browser
Scott Charney: Competition is always a great thing, both for innovation
and security. The reality is we started on this security push before that
competition was really present and we will keep going, regardless.
Eric Parizo: Scott Charney, Corporate Vice President for Trustworthy
Computing at Microsoft. Thank you so much for joining us today.
Scott Charney: Thank you.