By Nancy Gohring
IDG News Service
April 25, 2008
Some people might dream of having the power to kill a product just
before launch at a company the size of Microsoft, but for Scott Charney,
that's just part of the job.
Charney, vice president of trustworthy computing, was hired by Microsoft
in early 2002 to spearhead the company's security strategy. He built a
team that looks for vulnerabilities in products during development and
works to implement security into product design. If the team finds an
issue, even if the product is just about to ship, Charney can order the
product back to the drawing board until the problem is fixed.
Microsoft's implementation of its secure-development lifecycle process
has led the industry, said Andrew Jaquith, an analyst at Yankee Group.
"They have really been a pacesetter in this area," he said.
Still, Microsoft didn't create the initiative out of choice, Jaquith
said. "It was born out of necessity because customers were threatening
to defect," he said. Microsoft once had an internal list, called the
executive hot list, made up of "customers so furious with security that
they called [Bill] Gates or [CEO Steve] Ballmer personally," Jaquith
said. "In many respects, that caused the trustworthy computing
initiative to be born." Microsoft's public-relations firm said that the
company would not comment on the matter.
Since Charney joined Microsoft, on five occasions vice presidents in
charge of products have disagreed with his no-ship order, Charney said
recently to a group of reporters at Microsoft's headquarters in Redmond,
Washington. Craig Mundie, chief research and strategy officer at
Microsoft, was called to settle the disputes, and each time he sustained
Charney's no-ship order.
Once, Charney reversed his no-ship order himself. That was after his
team found out about an issue in Windows Mobile 2003 that should have
been fixed before it shipped, he said. But then Pieter Knook, who was in
charge of Microsoft's mobile communications business until he left the
company this February, explained that delaying the product launch would
mean missing the end-of-year holiday season -- and that the issue could
be fixed after the launch. Charney decided to let the operating system
His team typically finds issues during development and makes sure the
problems are fixed, he said.
"Every now and again we get surprised," he said. Sometimes a
vulnerability is discovered in an older version of a product, and his
team realizes that a newer version in development might also have the
Microsoft hired Charney, who had worked for the U.S. Department of
Justice and served as assistant district attorney in the Bronx, at what
he said was a unique time. The Sept. 11 attacks had just happened, and
two major computer viruses, Code Red and Nimba, had recently spread
rapidly across the Internet. That combination of events created a unique
environment, when previously complacent vendors and governments realized
they needed to get more serious about computer security, he said.
Since then, Microsoft's trustworthy computing initiative has been
largely successful, although there are still a few sore spots, Jaquith
said. Security researchers are impressed by the improvements in
Microsoft's products and say that the company is being much more
transparent about its security processes than it used to, he said.
Microsoft has also improved its response times to customer concerns
about security, he said.
But there are some vulnerable aspects of Microsoft's software that the
company hasn't fixed and doesn't appear to intend to fix, Jaquith said.
For example, Microsoft has not addressed certain security issues in
Internet Explorer's ActiveX, a major vector for malware, he said.
The next step in Charney's vision for trustworthy computing is securing
the Internet. He recently unveiled a new initiative that is, in essence,
a call to arms for all Internet companies to work together to create a
more trusted Internet. In a white paper, he broadly describes
Microsoft's vision and invites feedback on the ideas. Microsoft is
asking "all who care about online safety to join in a robust and
meaningful discussion about building a more trusted Internet," Charney
wrote in a statement about the initiative.
Subscribe to the InfoSec News RSS Feed