Log in

View Full Version : Interview with Microsoft Director of Security Assurance


Andy Sjostrom
12-20-2002, 01:21 PM
<a href="http://www.devx.com/codemag/interview/10339">http://www.devx.com/codemag/interview/10339</a><br /><br />The developer site DevX.com has published a <a href="http://www.devx.com/codemag/interview/10339">thoughtful and interesting interview</a> with Steve Lipner, Microsoft Director of Security Assurance. He and his team has during the last year retrained thousands of Windows, Visual Studio .NET and Office developers in security principles. I have no doubt that these efforts eventually will reach the Pocket PC platform as well. If you are interested in the thinking that goes on and the software development attitude prevalent inside Microsoft right now I recommend reading this article!<br /><br />"At the end of last year, just as the .NET Common Language Runtime was being completed, they had similar concerns because that's a very security-critical component. Before they shipped, they stopped and said, "We're going to do nothing but security until we're comfortable that we've got the vulnerability rate down to where we can ship this product and it will be secure enough for our customers. ... We have a room over in the conference center that holds about 950 people, and we filled it 10 times. Then, starting February 1, everyone stopped and focused entirely on security. ... What the press has not picked up on is that we have done the same thing for Visual Studio .NET, SQL Server, Exchange Server, Commerce Server, and Office. ... Secure by Default gets pretty visible because features that would have been sitting there running, whether you need them or not, are now disabled unless you need them. Features that would have been running with local system privilege, if they are running at, are often now running with local service or network service privilege. Even if those services have a vulnerability, if you get into them there is much less that you can do."