Interview with Edward Gibson, Chief Security Advisor at Microsoft UK
by Mirko Zorz - Monday, 17 September 2007.
As Windows Vista was released Microsoft has already announced the Vista Service Pack 1. Some see this as a sign that Microsoft knowingly released the OS with security problems while others believe it to be a step forward in security awareness and applaud Microsoft for starting work on a collection of patches this early. What's your take on this situation?

Microsoftís operating systems / platforms, applications, and processes are used by millions of people in nearly every country on this planet. Itís software products are used in mission critical devices and processes (in the UK, the NHS is a prime example), defence industry, manufacturing, finance, and government to name a few. Knowing what I do about the kinds of attacks against its applications, operating systems, and processes, by ruthless organized crime groups and people using every conceivable method to steal, compromise, extort, blackmail, or otherwise make life miserable for their own personal gain, we all can be mighty proud of the extraordinary efforts Microsoft has and continues to put into making all computer users more safe on the Internet. But remember, criminal attacks against systems is an Industry-wide problem, which is why Microsoft is working with industry partners, government, and educational institutions to help ensure understanding of the problems and develop better solutions.

It's important to remember that no software is 100% secure. Weíre working to keep the number of security vulnerabilities that ship in our products to a minimum. Trustworthy Computing is a long-term initiative and those changes do not happen overnight. Weíve made progress and our efforts are resulting in significant improvements in the security of our software. We have every confidence that - together with our industry partners - we'll continue to meet the constantly evolving challenge of security to help our customers and the industry become more secure.

Did Microsoft use a different approach to testing security while developing Windows Vista?

The release of Windows Vista is the first Microsoft operating system to use the Security Development Lifecycle (SDL) from start to finish and was tested more prior to shipping than any previous version of Windows.

Building on the significant security advances in Windows XP Service Pack 2, Windows Vista includes fundamental architectural changes that will help make customers more secure from evolving threats, including worms, viruses, and malware. These improvements minimize the operating systemís attack surface area, which in turn improves system and application integrity and helps organizations more securely manage and isolate their networks.

Too often software is developed by bolting security technology onto an application and declaring it secure. The SDL was developed to provide a step-by-step process integrating secure development into the entire software lifecycle from start to finish. We have already seen the benefits of this process as it was first used for Windows Server 2003 and resulted in a 56% decrease in the number of security bulletins, compared to Windows Server 2000.

By having the most deployed OS in the world, Microsoft is always under the microscope and has to tackle a myriad of security challenges. What are the ones that you expect to cause problems in the near future and what strategies does Microsoft use to fight them?

As I always say, itís about people, process and technology and at Microsoft our security strategy is very much aligned to these three areas. The threat landscape is continually evolving and challenges appear in the form of malware, inappropriate security policies and the regulatory environment. Our security efforts are therefore focussed on the area of partnerships, innovation and prescriptive guidance. Microsoft is working in partnership with Government and industry groups to thwart security threats. So for example, in the UK, we are an active member of the Government backed Get Safe Online program, which aims to educate consumers and businesses on the importance of security.

We are continually developing our products to protect computer users and stay one step ahead of the cyber criminal. So for example, as Iíve already mentioned, our Security Development Lifecycle is used to ensure rigorous testing of software code in products such as Windows Vista. In addition, our MSN Hotmail service blocks 3.4 billion spam messages per day.

Finally, at Microsoft, weíre committed to providing guidance to help businesses and consumers act and secure their digital lives. In the UK alone, according to recent figures from APACS (the UK payments association), online banking fraud alone cost £22.5m in 2006. Therefore we are deeply engaged in customer education programs such as our partnership with GSOL. In fact, a big part of my role is to liaise between customers and our internal development teams, finding out what the problems are and seeing how they can be resolved. My number one message is that prevention is the best defense! You donít need to wait to protect yourself today. There are numerous resources available (both from Microsoft and across the industry) to help protect against the growing severity of information security threats.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th