Scott Charney: Microsoft's security chief reveals all

Shortly after the 9/11 bombings, Microsoft hired Scott Charney, a federal prosecutor for the US justice Department, to head up its Trustworthy Computing division. At AusCERT 2008, ZDNet.com.au caught up with Charney to hear his thoughts on how those events changed the security landscape and what he thinks about the current state of IT security.

The Trustworthy Computing division's sole task was to ensure that Microsoft made security the highest priority when developing products.

Scott Charney, VP of Microsoft's Trustworthy Computing Group

Charney was an interesting choice for Microsoft. In his role as lead federal prosecutor for the US Department of Justice's criminal division, he worked on every major hacking case in the United States between 1991 and 1999.

The first real evidence that Microsoft had changed its ways came with the release of Windows XP Service Pack 2, which contained an improved firewall, had auto-update turned on by default and consolidated security controls into a single "security centre". According to Microsoft, the update made Windows XP 15 times safer.

In this exclusive eight-part video interview, Charney discusses Microsoft's current approach to security, what challenges lie ahead and what has gone wrong in the past.

• 

  Security comes at the expense of privacy

  "We can craft ways to protect the values of privacy and security, although in some cases there are tensions to be worked out," says Charney.

• 

  Application vendors are the weakest security link

  Microsoft now builds security into products such as Vista, but attackers have shifted their focus to applications so software vendors are the weakest link.

• 

  Customers are the biggest hole in Microsoft's security

  Microsoft customers need to better authenticate applications they install on their PCs, so the next challenge for Microsoft is to figure out how to provide information so customers make a decision about whether something is good or bad, says Charney.

• 

  9/11 attacks made security an asset

  Until 9/11 security was simply a cost, says the VP of Microsoft's Trustworthy Computing Group — the stock exchange being knocked out suddenly changed this.

• 

  Measuring ROI should include culture

  Measuring investments in security should factor in costs and benefits affecting privacy, economics and culture, says Charney.

• 

  Penetration testing is not enough

  Penetration testing is a good way to audit whether your controls over standardised configurations are working, says Charney.

• 

  Microsoft admits Vista UAC prompts "need work"

  "If you give people too many prompts in too many situations, they view it as an impediment to getting their work done and they just start clicking OK on everything," says Charney.

• 

  Microsoft looks to hardware for protection

  Microsoft will start binding the operating system to hardware in order to reduce the effectiveness of today's security threats.