Three Minutes with Microsoft's Security GuruMicrosoft Corp. pours more money into software security than any other major vendor both because it has to and because it can. Yet for all the investments in security, the number of vulnerabilities discovered in the company's products has increased over the years, prompting questions over whether the company has reached the limits of its ability to debug software. In an interview with Computerworld , Steve Lipner, senior director of security engineering at Microsoft's Trustworthy Computing Group, refuted that suggestion and insisted that the company's Security Development Lifecycle (SDL) approach is working as it was meant to. He said SDL has reduced the number of flaws in Microsoft's newer products while also making them harder to exploit. Microsoft has invested a lot in security, but the number of flaws being discovered in its products has only been increasing. Why? There are a couple of things that are going on. Obviously, one of them is that security attacks and the security research environment are changing. Security vulnerabilities are actually worth money to the people who find them, so that intensifies the search for vulnerabilities in the outside world. The second factor is that the SDL (Security Development Lifecycle) is not just about reducing the number of vulnerabilities but also about reducing the severity of the vulnerabilities through things like address space randomization and non-executable memory. We are making it harder to exploit vulnerabilities especially on the newer products. [But] we haven't yet taken the step of reducing the severity [rating] of vulnerabilities on our newer products even if it is too darn hard to exploit them. Why haven't you done that? We are very conservative about severity ratings. Actually, I am sort of the guilty party who developed both of the severity rating systems we've used over the last 10 years at Microsoft. We haven't yet done any update to the severity rating system to reflect difficulty of exploitation because we want to be very sure that there isn't some way, somehow, that someone could still write a straightforward exploit and prove us wrong. Continue Three Minutes with Microsoft's Security Guru - PC World
Send via e-mail | Submit to Digg | Add to Live Favorites
http://feeds.bink.nu/~r/binkdotnu/~3/c93FCQv741Q/three-minutes-with-microsoft-s-security-guru.aspx
