The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is "As defenders get out their patches, the attackers have more incentive to move on to a different exploit," Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

This is actually an interesting question. A lot of governments enforce rules and regulations on how you have to run your car, how often you have to check it, in which condition you have to keep your tires etc. The same is true for a lot of other devices we are using.

Now, it seems that the US just passed a bill to give the president the power to order companies to deploy security updates or block a certain type of traffic. I understand where this is coming from: You need some level of authority if your critical infrastructure is under attack. Here, a lot of governments rely on the collaboration of the different players. The US seems to go one step further. Honestly, I am not completely sure whether I like it or not. It has a lot of pros and cons.

What is your view?

Roger

Today, I had the opportunity to talk to a group of partners on Cloud and security. The goal was to make them ready for the Cloud and make them ready to answer the customer’s questions. One block – obviously – was about security and as I look at it (and as I said), this starts with the customer's processes. In addition, you need a clear and implemented data classification scheme. I am convinced that a Cloud provider, which offers the needed transparency and a secure environment (and does not only tell you that they are as secure as e.g. a bank) will often reduce your risk exposure if your overall IT organization is mature enough.

Now, I read this study: New Study Says Senior Leaders are Increasingly Distant from Security, Privacy – a study by Carnegie Mellon and therefore not from a consulting company who wants to sell services. To look at some data and quote the article:

Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:

• Review/Approve Annual Budgets - Sixty-one percent of 2010's respondents say they never review budgets, compared to only 40 percent from the previous survey;
• Review/Approve Top-Level Policies - 2010's survey shows that 33 percent say they never do, compared with 23 percent previously.
• Review/Approve Roles & Responsibilities - 43 percent of respondents say they never take part re: IT security personnel, compared with only 28 percent last time.

And these are the customers who want to move to the Cloud? In my opinion the board is key, when it comes to risk management and they have to get involved and take part of it.

Is this the board’s fault? This would be too easy from my point of view. This is just the way a lot of security professionals handle this problem and complain that the board is not interested in such themes. What did we as a community do to change this? In the best case we implement risk management process and include the board in those processes – and speak techie language, not the board’s language. We rarely show how a risk might affect the business process but how it affects the technology. Last but not least we never show the board how we could use security to help the business to grow.

Let’s stick with the Cloud for a second. The standard security person tells his/her board that we cannot go to the Cloud because of security (heard that very, very often). Why do we not approach it the other way round: We should actually move our “company internal” data to the Cloud to reduce cost and increase security? This is actually true in a lot of cases.

All of a sudden security becomes an asset instead of a blocker – we have to change our attitude! It starts with us!

Roger

I actually wanted to show nPad to you as I loved it – it is a new hardware factor to what we did since years on the tablet. I like this new hardware (see below) and then read this article, showing that Apple got hit fairly hard this week by a vulnerability in iPad: Apple's Worst Security Breach: 114,000 iPad Owners Exposed.

This is what I think it interesting: Everybody jumps onto the cool Apple hardware and uses a consumer device like iPad, iPhone in the enterprise. What I like is the great interoperability which can be leveraged e.g. the sync from iPad to Exchange Active Sync.

So, coming back to the nPad: This is a great device, looking similar than an iPad but with Windows 7. As we are doing tablets since quite some time (Windows XP Tablet Edition), I am using one since then. With Windows 7 we actually include multi-touch and this is used in this model.

Looks really cool:

If you want more information, here is the website of Nexocial – the company actually building them and if you are interested, here is the Dutch webshop.

Roger

As you know (I stress that fairly often ), I am Swiss. The reason why I am stressing this today is that I want to give you an example on security from the Swiss market: The banks here on place compete with each other – obviously. However, I have never seen the banks competing on security. They never use for example new authentication schemes in eBanking to compete. There is nothing like “our eBank is more secure than our competitor's” or “have you seen, our competitor was just successfully phished”. The reason for that is fairly simple: The whole banking system will lose as trust will erode in the ecosystem as such if they start to blame each other and this is not to the advantage of all the banks.

Why do I tell you this? Well, as you know, we at Microsoft are promoting responsible disclosure of vulnerabilities since years. We do not buy vulnerabilities and if we find vulnerabilities in third party products, we let the vendor know and help them to fix the issue. This is to protect the ecosystem, to protect our customers as public, irresponsible disclosure puts all our joint customers at risk.

By the way, on a side-note I want to make sure you have seen the advisory we release yesterday on a Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution as it might be important for you to understand the workarounds. The history of this vulnerability can be found here: Windows Help Vulnerability Disclosure. I just want to quote the blog post: This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

…

Roger