Microsoft's lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director. Photos: Leading Microsoft's security crew
Wardens of the Web
TalkBack
E-mail
del.icio.us
Digg thisMicrosoft's lessons from the desktop
Editors' note: This is part three of a four-day series examining the state and future of Web security.
Pete Boden wants people at Microsoft to think like criminals. That's why the company held its first "Blue Hat" meeting in 2005, which invited hackers onto the corporate campus for lectures and meetings intended to expose security employees to the mentality of digital intruders.
Although it has become a popular biannual event, Blue Hat can still be an unnerving experience at times as guest hackers occasionally break Microsoft products in front of the people who built them. But studying such simulated attacks--a process known as "threat modeling"--provides invaluable lessons in teaching developers how an application can be attacked and what the security controls should be.
"Often times, we find that developers are thinking like a developer or like a user," said Boden, senior director for MSN and Windows Live security at Microsoft.
That's the challenge facing Microsoft. Many company developers and executives believe that securing Web applications is no different from protecting PC desktop software, something the company has learned over the course of three decades. At the same time, Microsoft must acknowledge the crucial differences in pace and scale that are presenting some of the most difficult security challenges ever encountered in digital technology.
For all its successes, Microsoft has in the past reacted slowly to industry change or has underestimated its impact. Case in point: back in the mid-1990s the company misjudged the significance of the Internet and Web-based computing. What followed has become equal parts lesson and legend, a call to arms from Bill Gates that ultimately sank arch rival Netscape Communications and set the course of Internet history. More recently, Gates and CEO Steve Ballmer have admitted to miscalculating the value of Web search and digital music, long after Google and Apple stole the show.
It is understandable, therefore, why Microsoft is determined not to fall behind in Web security. The key, according to many within the company and beyond, is not treating it like just another set of desktop bugs.
"The same rules apply. It is not a new science, it is a different environment to apply the same science," Boden said. However, he stresses, "We have to be very careful not to get complacent about saying we understand the problem, because it is going to change right in front of our eyes."
The 18-year company veteran understands why many at Microsoft cling to the notion that Web and desktop security are essentially the same. Although the types of threats change, Boden says desktop and server security lessons are equally valid when applied to online applications.
"There are pieces that are different," he said. "But the discipline of understanding what could break, how it could break, the impact of it breaking, how we protect it, how we respond to any event, those are fundamentally the same."
The main differences--and they are crucial--are speed and size. As Boden says, securing Web applications is all about scaling; if security doesn't scale, data could be at risk.
A year ago, Microsoft had about 30,000 servers in its data centers to support its online services. This year that's up to 80,000, and more growth is planned.
"The business stakes are enormous in this area," Boden said. "If we or anybody in this business violates the users' trust, then we're essentially out of the business."
Learning the hard way
If Microsoft veterans sometimes sound as if they've seen it all before, there's good reason: they've learned the hard way.
Five years ago, Microsoft's customers were getting hammered. That's when Gates launched his Trustworthy Computing initiative to make security a priority. Industry analysts have praised the effort, even though there are still plenty of vulnerabilities found in Microsoft software and attacks still occur.
Inside the MSN and Windows Live security offices, banners still work to remind employees of the importance of security, and a "Security Scorecard" keeps track of performance and ties into individual reviews.
The regimented approach hasn't always been welcomed by the rank and file. Like human resources and IT staffs, the security department of any company is sometimes viewed like the internal affairs division within the police force--they're paid to keep an eye on you. The 55 members of the MSN and Windows Live security team set policies, assess risks and respond to security incidents.
Not surprisingly, initial efforts to reach out to other departments and employees were met with trepidation.
"We had a robotic image on a lot of our awareness campaign materials last year, and it portrayed a very stern, standoffish approach to the team," Boden said. "We went away from that, specifically because we want to build better relationships with the development teams."
Things are better now. Boden's department is engaged in an ongoing marketing campaign within the company, which includes hosting regular happy hours with local brews and chips and salsa.
"Redhook, Mac and Jack's, we're not short on beer here in the Northwest," Boden said.
Next page: With growth comes more risk
(continued from previous page)
Despite their unique mission, Boden's team in many ways represents a cross-section of the company. Members vary from someone who was hired straight out of high school at age 17 to veteran professionals with doctoral degrees in computer science.
Boden's background is equally diverse. Born in the United States to British citizens, he grew up in Southport, England, and attended high school in Philadelphia. It was a Tandy TRS-80 that first got him interested in computers. He worked for Deloitte Consulting before joining Microsoft, where he managed desktops and servers before falling into security as a project manager on Windows 2000.
"I found I enjoyed the challenges and pace of the security function much more than deploying software," Boden said.
He's certainly got plenty of what he asked for. As Microsoft has grown with Web technology, the threats to the empire have multiplied commensurately.
Vulnerabilities on the Web include cross-site scripting bugs that could leave personal accounts vulnerable to hijacking, facilitate data-thieving phishing scams or let hackers plant malicious code on a trusted site. Another commonly discussed problem is SQL injection, where an attacker could gain control over a database behind a Web application.
And with expansion has come additional risk, including complications raised by new business relationships with other companies that host parts or all of Microsoft-branded Web sites. In 2005, for example, an MSN Korea partner fell victim to cybercriminals who created a nefarious program that recorded user credentials for an online game onto the PCs of MSN Korea customers.
That same year, Microsoft kicked off its online initiative, proclaiming the "live era" of software. It announced online complements to Office and Windows. Recently, it unveiled a revamped version of Hotmail, one of its early online applications.
The "live" push is Microsoft's bid to partake in the online applications surge. These applications are helped by new development techniques such as Ajax that stretch the abilities of what Web sites can do, making them act more like traditional desktop apps. That, in turn, has translated to new opportunities for security breaches as well.
"It puts stress on our program, but we have been successful in creating a security model that really pushes accountability back to the business teams," Boden said.
In sharing responsibility for security across the company, Microsoft is similar to its rivals. As
Above all, Boden--like his counterparts at rival companies--says it is crucial to keep in mind why security is so important. As people continue to store their information online, the Web is becoming the equivalent of their personal filing cabinet.
To that end, Boden and his family are no different: they store all their personal data in Web applications.
"We're definitely all in," he said. "So if it fails, it fails for me personally and professionally." 
Stories
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Photo galleries
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Related stories
Wired but not Web 2.0? That's normal, study says
Wrangling Web 2.0 at S.F. expo
Bug hunters face online apps dilemma
Insecurity complex on the Internet
Google deal highlights Web 2.0 boom
News from around the Web
Divide between Net, desktop disappearing
Web 2.0 threats and risks for financial services
Security remains a challenge for browser developers
Is Really Simple Syndication really secure?
Study: Security cues on banking sites ignored
Botnet battlers call for Net driver's license
Credits
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
Wardens of the Web
Microsoft's lessons from the desktop
Editors' note: This is part three of a four-day series examining the state and future of Web security.
Pete Boden wants people at Microsoft to think like criminals. That's why the company held its first "Blue Hat" meeting in 2005, which invited hackers onto the corporate campus for lectures and meetings intended to expose security employees to the mentality of digital intruders.
Although it has become a popular biannual event, Blue Hat can still be an unnerving experience at times as guest hackers occasionally break Microsoft products in front of the people who built them. But studying such simulated attacks--a process known as "threat modeling"--provides invaluable lessons in teaching developers how an application can be attacked and what the security controls should be.
"Often times, we find that developers are thinking like a developer or like a user," said Boden, senior director for MSN and Windows Live security at Microsoft.
That's the challenge facing Microsoft. Many company developers and executives believe that securing Web applications is no different from protecting PC desktop software, something the company has learned over the course of three decades. At the same time, Microsoft must acknowledge the crucial differences in pace and scale that are presenting some of the most difficult security challenges ever encountered in digital technology.
For all its successes, Microsoft has in the past reacted slowly to industry change or has underestimated its impact. Case in point: back in the mid-1990s the company misjudged the significance of the Internet and Web-based computing. What followed has become equal parts lesson and legend, a call to arms from Bill Gates that ultimately sank arch rival Netscape Communications and set the course of Internet history. More recently, Gates and CEO Steve Ballmer have admitted to miscalculating the value of Web search and digital music, long after Google and Apple stole the show.
It is understandable, therefore, why Microsoft is determined not to fall behind in Web security. The key, according to many within the company and beyond, is not treating it like just another set of desktop bugs.
"The same rules apply. It is not a new science, it is a different environment to apply the same science," Boden said. However, he stresses, "We have to be very careful not to get complacent about saying we understand the problem, because it is going to change right in front of our eyes."
The 18-year company veteran understands why many at Microsoft cling to the notion that Web and desktop security are essentially the same. Although the types of threats change, Boden says desktop and server security lessons are equally valid when applied to online applications.
"There are pieces that are different," he said. "But the discipline of understanding what could break, how it could break, the impact of it breaking, how we protect it, how we respond to any event, those are fundamentally the same."
The main differences--and they are crucial--are speed and size. As Boden says, securing Web applications is all about scaling; if security doesn't scale, data could be at risk.
A year ago, Microsoft had about 30,000 servers in its data centers to support its online services. This year that's up to 80,000, and more growth is planned.
"The business stakes are enormous in this area," Boden said. "If we or anybody in this business violates the users' trust, then we're essentially out of the business."
Learning the hard way
If Microsoft veterans sometimes sound as if they've seen it all before, there's good reason: they've learned the hard way.
Five years ago, Microsoft's customers were getting hammered. That's when Gates launched his Trustworthy Computing initiative to make security a priority. Industry analysts have praised the effort, even though there are still plenty of vulnerabilities found in Microsoft software and attacks still occur.
Inside the MSN and Windows Live security offices, banners still work to remind employees of the importance of security, and a "Security Scorecard" keeps track of performance and ties into individual reviews.
The regimented approach hasn't always been welcomed by the rank and file. Like human resources and IT staffs, the security department of any company is sometimes viewed like the internal affairs division within the police force--they're paid to keep an eye on you. The 55 members of the MSN and Windows Live security team set policies, assess risks and respond to security incidents.
Not surprisingly, initial efforts to reach out to other departments and employees were met with trepidation.
"We had a robotic image on a lot of our awareness campaign materials last year, and it portrayed a very stern, standoffish approach to the team," Boden said. "We went away from that, specifically because we want to build better relationships with the development teams."
Things are better now. Boden's department is engaged in an ongoing marketing campaign within the company, which includes hosting regular happy hours with local brews and chips and salsa.
"Redhook, Mac and Jack's, we're not short on beer here in the Northwest," Boden said.
Next page: With growth comes more risk
(continued from previous page)
Despite their unique mission, Boden's team in many ways represents a cross-section of the company. Members vary from someone who was hired straight out of high school at age 17 to veteran professionals with doctoral degrees in computer science.
Boden's background is equally diverse. Born in the United States to British citizens, he grew up in Southport, England, and attended high school in Philadelphia. It was a Tandy TRS-80 that first got him interested in computers. He worked for Deloitte Consulting before joining Microsoft, where he managed desktops and servers before falling into security as a project manager on Windows 2000.
"I found I enjoyed the challenges and pace of the security function much more than deploying software," Boden said.
He's certainly got plenty of what he asked for. As Microsoft has grown with Web technology, the threats to the empire have multiplied commensurately.
Vulnerabilities on the Web include cross-site scripting bugs that could leave personal accounts vulnerable to hijacking, facilitate data-thieving phishing scams or let hackers plant malicious code on a trusted site. Another commonly discussed problem is SQL injection, where an attacker could gain control over a database behind a Web application.
And with expansion has come additional risk, including complications raised by new business relationships with other companies that host parts or all of Microsoft-branded Web sites. In 2005, for example, an MSN Korea partner fell victim to cybercriminals who created a nefarious program that recorded user credentials for an online game onto the PCs of MSN Korea customers.
That same year, Microsoft kicked off its online initiative, proclaiming the "live era" of software. It announced online complements to Office and Windows. Recently, it unveiled a revamped version of Hotmail, one of its early online applications.
The "live" push is Microsoft's bid to partake in the online applications surge. These applications are helped by new development techniques such as Ajax that stretch the abilities of what Web sites can do, making them act more like traditional desktop apps. That, in turn, has translated to new opportunities for security breaches as well.
"It puts stress on our program, but we have been successful in creating a security model that really pushes accountability back to the business teams," Boden said.
In sharing responsibility for security across the company, Microsoft is similar to its rivals. As
Above all, Boden--like his counterparts at rival companies--says it is crucial to keep in mind why security is so important. As people continue to store their information online, the Web is becoming the equivalent of their personal filing cabinet.
To that end, Boden and his family are no different: they store all their personal data in Web applications.
"We're definitely all in," he said. "So if it fails, it fails for me personally and professionally."
Stories
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Photo galleries
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Related stories
Wired but not Web 2.0? That's normal, study says
Wrangling Web 2.0 at S.F. expo
Bug hunters face online apps dilemma
Insecurity complex on the Internet
Google deal highlights Web 2.0 boom
News from around the Web
Divide between Net, desktop disappearing
Web 2.0 threats and risks for financial services
Security remains a challenge for browser developers
Is Really Simple Syndication really secure?
Study: Security cues on banking sites ignored
Botnet battlers call for Net driver's license
Credits
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara