During RSA Europe an industry forum called SAFECode (Software Assurance Forum for Excellence in Code) was announced "to identify and share software assurance best practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks". I was really excited that I had to opportunity to represent Microsoft during the press conference at RSA as this is – from my point of view – a significant move for the industry. SAFECode was founded by some heavyweights in the software development industry: EMC², Juniper, Symantec, SAP, and Microsoft.

Over the last few years we invested significantly into our Security Development Lifecycle (SDL). We make the experience we made available in different forms:

• We wrote books like Security Development Lifecycle, Writing Secure Code, Hunting Security Bugs, Threat Modeling, …
• We integrate tools and technology we initially developed for our own use into Visual Studio
• We make tools like the Threat Modeling Tool available for anybody as a free download
• We use SDL for Microsoft IT to have a special version to be adapted to third-party applications. Even the tools we use internally like the Microsoft Threat Analysis & Modeling is available for free download.
• We run a blog on it: The Security Development Lifecycle

But this is different. Key people from Microsoft and other companies are coming together to share the best practices and learn from what worked and what did not. From our side, there are people involved like Steve Lipner (one of the "fathers" of SDL) and Michael Howard (Writing Secure Code). The outcome should be better processes as well as a way on how to integrate this kind of process into education and training. This is really great and I am excited to see this moving forward.

The press coverage was already pretty significant and positive:

• darkReading: Major Vendors Form SAFECode
• SearchSecurity.com: Tech vendors team up for secure software development
• Vnunet.com: Tech industry launches initiative to boost software security
• eWeek.com: Tech Foes Join Forces for Secure Code
• Computerworld UK: RSA 2007: Software firms to share security best practice
• Federal News Radio: An interview with Paul Kurtz, Executive Director of SAFECode

SAFECode is neither a standards body nor a lobbying association. Instead it has been formed as a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.

As a collaborative effort of leading technology companies committed to software assurance excellence, SAFECode provides a forum for subject matter experts to come together to work on some of the most challenging issues faced by the industry. There is no single solution or "right way" to address software assurance. Indeed, there are many different ways to succeed. SAFECode provides an opportunity to bring the best methods together in a manner that helps vendors, governments and critical infrastructures better manage risk.

Every technology vendor has a stake in the global effort to improve the security and reliability of the greater cyber ecosystem. If you are a vendor committed to driving security, privacy and integrity in software, hardware and services, then you belong in SAFECode. We are looking for hands-on members who want to benefit from the experiences of others and actively contribute to advancing the art of software assurance.

Roger

Yankee Group Study

Actually near future might be wrong: I am convinced that the future (with regards to the requirements) is already here. We sponsored a study with Yankee Group with the title Anywhere Access Technologies - Open Enterprise Networks. I read through it and tried to analyze the key findings in there:

• more than 70% of IT executives said that more than half of their employees today access their networks remotely with a laptop or mobile device: This is significant, isn't it? Look at me: I am in the office to have some 1:1 meetings and mainly to hand in the expense reports. The rest of my time I am on the road or in my "home office". So my laptop hardly ever gets connected to the Corporate network. I am actually writing this blog post in a hotel room. On the other hand I know of a lot of companies where security and IT wants to limit the usage of laptops as much as possible. To my opinion, they are hindering a development, which will lead to higher productivity and employee satisfaction: I love it to work from home having the possibility to spend lunch hours with my family. I am aware that not all the jobs can be done remotely but more jobs could profit more from a little bit more flexibility. The statement that mobile workforces increase productivity is underlined by an other data point:
• Our analysis shows almost 37% of all enterprises said they would expect to see a significant increase in employee productivity if workers could access data and information outside the office on any type of device. Among Connectors (companies with more than 50% mobile users), this expectation jumped to 43%: And you want to stand outside of this? I doubt it.
• Enterprise networks are opening up not just to employees, but to outside parties, too: 87% of the enterprises surveyed said that partners, customers and other users outside the company access internal network resources either frequently or every day: This is the next challenge as more and more information will have to be accessed by external companies and people. How do you authenticate them? How do you keep control over the information they access? And even worse: When I talk to certain industries, they change their partners within hours (e.g. traders) and have to have an extremely flexible network of trust and therefore authentication scheme without hampering security.

… and a lot more, you can read it yourself.

But what does that mean for your security? Let's have a look at different areas of security

People

This will improve the usability. I am a firm believer that if we (as an IT industry) can make this mobile access to company data transparent and easy to use, this will increase security! I have seen cases, where normal users wrote a step-by-step guide on how to open a VPN tunnel and access the mails including all the username and passwords needed. They even tucked it to the SecurID. Wow, such a stupid user? No, to me: A stupid IT (sorry for it). Our security did not fulfill the business needs and seemed to make it impossible for the user to actually understand the environment. The secure way is only secure if it is the easiest way.

Process

This is now the time, where we have to come to proper Risk Management. If we want to be successful as security professionals we have to change our mindset from being risk avoiding to being more risk managing and business enabling! So let's do proper Risk Management and let's do it now!

Technology

Network

We are talking of the "death of the DMZ" since a long time – or in other words, the de-perimiterization of the network. Now, when I talk about this, people often feel that I am talking about decommissioning of the firewalls at the edge of the network – which is nonsense. The firewalls and edge protection is still very important but loses importance if you look at it from an overall risk view. From a network perspective my notebook is part of Microsoft's perimeter. My notebook is more often connected to public networks (or my home network, which is ultimately secure J) than to Microsoft's network. Therefore, any protection measures have to be moved as well to my notebook. This is, where Network Access Protection comes into place! Make sure that I access corporate information only, if my PC is healthy.

Identity

With these scenarios, most companies do not too often think about authentication and the identities. There are, however, quite some challenges with authentication and identities:

• Internal:
  How can we make sure that the user can authenticate, wherever he/she is but do it securely? Well, smartcards will probably the today's state of the art but it might well be that the future will be biometrics. With the smartcard the biggest challenge is always, what happens if I lock my smartcard somewhere away from a Microsoft office and I would need my card to log on my machine? What happens (even worse) if it is broken?
  Second challenge is the management of the identities: How do I make sure users will be decommissioned again? And how can I enforce this decommissioning on the remote machine?
• External:
  There, the problem is even worse. Can I trust the authentication and the identity management of my partner? Often, this is a "yes, but". You would like to limit this to a certain application (and probably to a certain credit limit as well). What about compliance in this area?

Will you manage the identities of your employees in 5 year's time? A customer of mine recently told me that he doubts that. How will this change the game? I do not know yet.

Protection

Still trying to protect the USB-port aren't you? Well, if you heard me talking about this the last few years, I always said, that the only real protection against USB-sticks is artificial resin. Close that thing! If you don't, well what about the phones? The cameras? The mice with data storage capacity? The SD-cards? The…. whatever? You will not be able to protect against all those threads. Oh, yes – and what about my private Sharepoint, my private Outlook Web Access? If you are really worried about data loss, protect the data itself! Use something like Rights Management Services to start to address this. No, it is not a silver bullet but increases security significantly in this respect. That does not mean that you should not protect your hard disk (I have Bitlocker enabled) but protect the information itself. (BTW, Windows Vista can protect the USB-port)

We could elaborate much more here, there are things like access control as well and themes around interoperability and, and, and. I do not think that I covered all the risks here but at least some you should start to think of. I am completely convinced that the mobile workforce comes much, much faster than a lot of security persons feel comfortable with. This is a user-driven scenario which will be so cool, that the management wants it. How did Smartphones come into companies? The CEO bought one and wanted to have it integrated. Most companies failed to standardize them, just because of that and the scenarios we are looking into are even cooler, trust me.

My call to action at the moment is pretty simply:

• Get back to the disciplines we once learned: Risk Management, Dependability etc. and align your strategy to the business strategy!
• Look out for these technologies that will enable the mobile (access information anywhere, anytime and on any device) in order to be ready.

I do not think that all the technical answers are already on the table and if they are, they have for sure still challenges but I am convinced that we see scenarios that will get the avalanche rolling within the next 18 months! RPC over HTTPs in Outlook was just a tiny beginning!

Roger

David Litchfield ran a scan on the Internet for the typical SQL Server and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet – unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs.

What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ...

Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid … I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the…., the…., the…. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime – unfortunately not for security!

Do not get me wrong. I do not say that this situation is good but up to a certain point I can understand them. We tend to compare them with us, being security professionals. They are often not. Instead of blaming them, we should rather make sure that we can help them and improve the situation. Do they do it deliberately? For sure no! Calling them ignorant and dumb is unfair and the wrong approach!

Roger

I commented on that already twice and I stated that WabiSabiLabi seems to have a different view on ethics than me. For those of you who do not know WabiSabiLabi, it is an online auction for vulnerabilities. We met the founder of this platform during Blue Hat in Redmond and had some discussions on ethics, vulnerabilities and his platform. I have to admit that the way he tweaked the ethical view of the world the way he needed it was pretty interesting.

Now, I see that my view on ethics is definitely the one that at least keeps me out of jail: WabiSabiLabi founder arrested in Italy

At least he gets press coverage (and blog coverageJ) for his platform

Roger

You know that I rarely did trip reports in the past. I am personally convinced that you do not want to read, what I had for breakfast in Barcelona. But this trip was different. When I told the people around me that I will be travelling to Nigeria I got a lot of different reactions J.

I guess that most of these reactions are based on our constant confrontation with what we call the Nigeria scam. As you probably know there is section 419 of the Nigerian criminal code that is violated by these kinds of attacks. Therefore these scams are often called 419-scams. It is unbelievable; when you go to our search engine and search for "Nigeria scam 419" you find more than 400'000 hits! There is even a site called http://www.nigerian-scam.com/ . For a country like Nigeria, this is one of the worst possible things to happen if you want to base the growth of the economy on modern technology! Is this a Nigeria-only problem? Not by far. A lot of scams originate from Western countries, a lot of others from Eastern countries – and, there is no doubt about it, a lot from Nigeria as well.

I was told that Nigeria is serious in fighting these crimes. Additionally I knew that we have an agreement with the Nigerian government to support them in their efforts . The Nigerian subsidiary invited me to visit the country and talk to the customers and governments and I accepted.

Let me try to summarize a few of my impressions and findings:

I had the opportunity to have a roundtable discussion in Abuja with government representatives and in Lagos with executives from different companies, mainly financial services. Additionally I could collect different impressions of the cities and the country by talking to quite some people. I met a lot of people who are extremely proud of their country and are highly energetic moving the country forward. Additionally, when driving through the streets of Lagos in particular you see a people wanting to sell something all over the place. Everybody seems to want to make his or her own business. So people do not seem to wait until money comes to them but are aggressively looking for their business opportunities.

From a technical point of view Nigeria is ramping up fast. Today they still have a bandwidth challenge. In the Western world we are used to having "unlimited" bandwidth. In Nigeria, this is not (yet) the case. However, Nigeria is in the process of solving this issue and there seems to be a good chance that enough bandwidth will be available in the future to drive growth in the economy. In my opinion this will be crucial as Nigeria and the business there more and more sees that they are part of the global village and want to be connected to it.

What does this now mean? I am convinced that the spirit in Nigeria will have an up- and a downside with regards to this development. By wanting to drive business, Nigerian people will follow all the opportunities they can to grow their economy. This is a very good thing and I am convinced that there will be good opportunities for them as they do not have to care about legacy applications. In other developing countries I have seen impressive e-government solutions as the government made it a priority and made the money available. As they did not have to link back to "old" legacy host systems, they could do very cool stuff. Similar things can happen here. So, watch out!

But, as I mentioned already, there is a downside: By going aggressively after the business opportunities on the Internet, there is a good chance that a small part of the population will go after the illegal business opportunities as well – and we have seen that already. This does by no means mean that Nigeria is the one and only source for lottery scams or even for the "Nigeria" scam but this is definitely a problem for this country. So, watch out! It happened that *.com.ng was blacklisted as a spam domain, which has an unbelievable negative impact on any country in this stage of its development.

When we are coming to the downside, there is always an enforcement piece to that. What is Law Enforcement actually doing to combat fraud and any other illegal activity within their country? I often get the impression when I talk to people in Europe that their impression is that Nigeria is doing nothing or that they are not serious about it. After the discussions with the Nigerian government I am convinced that they really want to fight against cybercrime as they have seen that this is a big image problem for Nigeria. And they are serious about that! They already had their first successes and they will improve.

We, as Microsoft, are committed to help the Nigerian government. We have the agreements in place and started already to train some Law Enforcement officers. So, together and together with additional partners from the private space there is a fair chance to go after the bad guys and help Nigeria to ramp up.

The agreements between the EFCC (Economic and Financial Crimes Commission of Nigeria) and us caught quite some attention which shows that we are on the right path:

• Spammers Beware: Microsoft and Nigeria Team up to Fight Cybercrime
• Microsoft, Nigeria Join Forces Against Cybercrime
• Microsoft aligns with Nigeria to crack down on scams
• Nigeria enlists Microsoft to fight spam scammers
• And a lot more

Obviously I know of the Nigeria scam. I am convinced that a country like Nigeria needs a fair chance and support to fix this problem and grow the economy that way.

Roger

P.S. I said that I was driving through Abuja and Lagos. Well, driving through Abuja would probably (maybe) work out. Lagos would have been a complete nightmare! I have never seen any worse traffic than that in my life J