Interview with Edward Gibson, Chief Security Advisor at Microsoft UK
by Mirko Zorz - Monday, 17 September 2007.
When discussing Windows Vista, Microsoft is emphasizing that it is the most secure Windows ever. Do you believe you'll be able to stand behind that in a year or two? What makes you so certain of Vista's security features? After all, we live in a world of constant evolving threats. Does 'more secure' = 'secure'?

As mentioned previously, whilst no software is 100% secure, we are confident that Vista is the most secure and thoroughly tested version of Windows we have ever produced. Our customers expect and deserve a computing experience that is safe, private and reliable. Trustworthy Computing has fundamentally changed the way we develop and help our customers manage Microsoft software and services. Threats to security and privacy constantly evolve and the holistic nature of Trustworthy Computing highlights Microsoft’s commitment to facing this changing landscape. Microsoft cannot do this alone, and we will continue to partner and collaborate with industry, government and academia to better protect customers and adapt to evolving security threats.

In the past, Microsoft's security headaches were coming from full disclosure lists where researchers publicly disclosed vulnerabilities in Microsoft products without reporting them to the company. Today, the threat landscape is changing with 0-day vulnerabilities in Windows Vista being sold to the highest bidder and not reported at all. How does Microsoft deal with this problem?

Due in part to recent reports of security vulnerabilities in a wide range of software, security is a growing concern for more and more computer users every day.

The industry is responding in part by seeking new opportunities to improve the way that security information is gathered and shared to protect customers while not aiding attackers.

Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner.

Since its inception, Microsoft Patch Tuesdays have been successful. Yet, many critical vulnerabilities are announced shortly after the batch of monthly patches. Shouldn't there be more frequent patch releases?

We investigate each security vulnerability report thoroughly to determine its impact to our customers. In combination with that investigation we also take a look at our engineering processes to help determine how we can best deliver a quality update to our customers within the consistent time frame that our customers have requested, which is currently on a monthly cycle.

There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update.

Every vulnerability presents its own unique challenges. We’ve been clear that bulletins can be released out-of-cycle, if necessary, to help protect customers if a level of awareness and malicious activity puts customers at risk in any way. In this case, the level of awareness and malicious activity around a vulnerability may prompt Microsoft to move to a release schedule that would deliver a fix as soon as one could be built and thoroughly tested.


Credential manager system used by Cisco, IBM, F5 has been breached

Pearson VUE is part of Pearson, the world's largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Nov 24th