Interessa
nte info (in het Engels ...) en het is nog een aardige vent ook met typisch Engelse humor (en dat voor een Amerikaan). Ik zit deze week naast hem tijdens een interne Microsoft meeting in Redmond.
Mr. Gibson is the Chief Security Advisor for Microsoft in the UK. This role comes on the heels of his retirement from a 20-year career as a Supervisory Special Agent with the Federal Bureau of Investigation. During this period, Gibson was a recognized expert in investigating complex, international money laundering schemes, asset identification and confiscation, and intellectual property theft. From early 2000 - mid 2005, Mr. Gibson was assigned to the FBI’s Legal Attache office, US Embassy London, as an Assistant Legal Attaché. There, he was responsible for all FBI cyber, hi-tech, cyber-terrorism, and infrastructure investigations in the UK. His leadership resulted in the creation of a model cyber program adopted by all Legal Attache offices around the world.
What has been your biggest challenge in the role of Chief Security Advisor for Microsoft? Has your background expertise helped shape your role in the company?
Most people only know of ‘criminality’ on the Internet through anecdotal reports. Until someone is personally affected by identify theft, social engineering, auction fraud, or other type fraudulent e-commerce activity, it is something for someone else to deal with. This should not be a surprise, as this is generally how people behave in the bricks and mortar world. However, the rules by which we live in the bricks and mortar world are sometimes largely ineffective in the cyber world. The Internet is global, and criminals are not bound by jurisdiction, political relations, or other restrictions due to anonymity and ability to hide in plain sight.
Yes, my background has been a key driver in shaping my role in the company. I know criminals, how they behave and the tools they use, particularly in internationally complex cyber criminality. As the single point of contact for all UK law enforcement and security services at the US Embassy London in relation to cyber investigations and laws related thereto, I had many opportunities to work with a variety of agencies in a number of countries. And each success was due to an understanding of the different cultures, laws, and priorities. This understanding was bolstered by having been a lawyer in the US prior to my appointment as a Special Agent, FBI, and qualification as a Solicitor in England / Wales, and the truly exceptional law enforcement and government representatives, without whom success would have been hard fought. With this background, I am better able and proud to represent Microsoft UK in my role as Chief Security Advisor.
As Windows Vista was released Microsoft has already announced the Vista Service Pack 1. Some see this as a sign that Microsoft knowingly released the OS with security problems while others believe it to be a step forward in security awareness and applaud Microsoft for starting work on a collection of patches this early. What's your take on this situation?
Microsoft’s operating systems / platforms, applications, and processes are used by millions of people in nearly every country on this planet. It’s software products are used in mission critical devices and processes (in the UK, the NHS is a prime example), defence industry, manufacturing, finance, and government to name a few. Knowing what I do about the kinds of attacks against its applications, operating systems, and processes, by ruthless organized crime groups and people using every conceivable method to steal, compromise, extort, blackmail, or otherwise make life miserable for their own personal gain, we all can be mighty proud of the extraordinary efforts Microsoft has and continues to put into making all computer users more safe on the Internet. But remember, criminal attacks against systems is an Industry-wide problem, which is why Microsoft is working with industry partners, government, and educational institutions to help ensure understanding of the problems and develop better solutions.
It's important to remember that no software is 100% secure. We’re working to keep the number of security vulnerabilities that ship in our products to a minimum. Trustworthy Computing is a long-term initiative and those changes do not happen overnight. We’ve made progress and our efforts are resulting in significant improvements in the security of our software. We have every confidence that - together with our industry partners - we'll continue to meet the constantly evolving challenge of security to help our customers and the industry become more secure.
Did Microsoft use a different approach to testing security while developing Windows Vista?
The release of Windows Vista is the first Microsoft operating system to use the Security Development Lifecycle (SDL) from start to finish and was tested more prior to shipping than any previous version of Windows. Building on the significant security advances in Windows XP Service Pack 2, Windows Vista includes fundamental architectural changes that will help make customers more secure from evolving threats, including worms, viruses, and malware. These improvements minimize the operating system’s attack surface area, which in turn improves system and application integrity and helps organizations more securely manage and isolate their networks.
Too often software is developed by bolting security technology onto an application and declaring it secure. The SDL was developed to provide a step-by-step process integrating secure development into the entire software lifecycle from start to finish. We have already seen the benefits of this process as it was first used for Windows Server 2003 and resulted in a 56% decrease in the number of security bulletins, compared to Windows Server 2000.
By having the most deployed OS in the world, Microsoft is always under the microscope and has to tackle a myriad of security challenges. What are the ones that you expect to cause problems in the near future and what strategies does Microsoft use to fight them?
As I always say, it’s about people, process and technology and at Microsoft our security strategy is very much aligned to these three areas. The threat landscape is continually evolving and challenges appear in the form of malware, inappropriate security policies and the regulatory environment. Our security efforts are therefore focussed on the area of partnerships, innovation and prescriptive guidance. Microsoft is working in partnership with Government and industry groups to thwart security threats. So for example, in the UK, we are an active member of the Government backed Get Safe Online program, which aims to educate consumers and businesses on the importance of security.
We are continually developing our products to protect computer users and stay one step ahead of the cyber criminal. So for example, as I’ve already mentioned, our Security Development Lifecycle is used to ensure rigorous testing of software code in products such as Windows Vista. In addition, our MSN Hotmail service blocks 3.4 billion spam messages per day. Finally, at Microsoft, we’re committed to providing guidance to help businesses and consumers act and secure their digital lives. In the UK alone, according to recent figures from APACS (the UK payments association), online banking fraud alone cost £22.5m in 2006. Therefore we are deeply engaged in customer education programs such as our partnership with GSOL. In fact, a big part of my role is to liaise between customers and our internal development teams, finding out what the problems are and seeing how they can be resolved. My number one message is that prevention is the best defense! You don’t need to wait to protect yourself today. There are numerous resources available (both from Microsoft and across the industry) to help protect against the growing severity of information security threats.
When discussing Windows Vista, Microsoft is emphasizing that it is the most secure Windows ever. Do you believe you'll be able to stand behind that in a year or two? What makes you so certain of Vista's security features? After all, we live in a world of constant evolving threats. Does 'more secure' = 'secure'?
As mentioned previously, whilst no software is 100% secure, we are confident that Vista is the most secure and thoroughly tested version of Windows we have ever produced. Our customers expect and deserve a computing experience that is safe, private and reliable. Trustworthy Computing has fundamentally changed the way we develop and help our customers manage Microsoft software and services. Threats to security and privacy constantly evolve and the holistic nature of Trustworthy Computing highlights Microsoft’s commitment to facing this changing landscape. Microsoft cannot do this alone, and we will continue to partner and collaborate with industry, government and academia to better protect customers and adapt to evolving security threats.
In the past, Microsoft's security headaches were coming from full disclosure lists where researchers publicly disclosed vulnerabilities in Microsoft products without reporting them to the company. Today, the threat landscape is changing with 0-day vulnerabilities in Windows Vista being sold to the highest bidder and not reported at all. How does Microsoft deal with this problem?
Due in part to recent reports of security vulnerabilities in a wide range of software, security is a growing concern for more and more computer users every day.
The industry is responding in part by seeking new opportunities to improve the way that security information is gathered and shared to protect customers while not aiding attackers. Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner.
Since its inception, Microsoft Patch Tuesdays have been successful. Yet, many critical vulnerabilities are announced shortly after the batch of monthly patches. Shouldn't there be more frequent patch releases?
We investigate each security vulnerability report thoroughly to determine its impact to our customers. In combination with that investigation we also take a look at our engineering processes to help determine how we can best deliver a quality update to our customers within the consistent time frame that our customers have requested, which is currently on a monthly cycle. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update.
Every vulnerability presents its own unique challenges. We’ve been clear that bulletins can be released out-of-cycle, if necessary, to help protect customers if a level of awareness and malicious activity puts customers at risk in any way. In this case, the level of awareness and malicious activity around a vulnerability may prompt Microsoft to move to a release schedule that would deliver a fix as soon as one could be built and thoroughly tested.
Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once they know the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.
Internet Explorer has been hit by a variety of vulnerabilities in the past and many patches have been released. Now that IE 7 out, does Microsoft plan a better security strategy for the most used browser?
Security is an industry wide issue and although there is no one solution, our approach to security spans across both technological and social aspects. In technology, we’re focused on designing software that is resilient in the presence of malicious code threats (such as worms and viruses) and that isolate the potential impact of contamination.
In the interest of helping to better protect our customers, we delivered Windows XP SP2 in 2004, which included a major security upgrade to Internet Explorer. Building on that release, Internet Explorer 7 has been redesigned and includes new security features to help protect end users against spyware and phishing attacks. A variety of new security enhancements have been added to provide end users with a host of new capabilities to make everyday tasks even easier, including dynamic security protection to help keep them safe online.
Originele versie is te vinden op : http://www.net-security.org/article.php?id=1069&p=1
Ruud
Ik krijg regelmatig vragen waarom Microsoft zijn software updates spaart voor een maandelijkse release. Tja.... Het antwoord op deze vraag is best wel complex. Laat ik eens een poging wagen.
Microsoft maakt veel verschillende toepassingen en dat betekent dat er veel code wordt ontwikkeld. Nu is dit nog steeds mensenwerk en (helaas) mensen maken fouten. Het is dus logisch om te verwachten dat de beschikbaarheid van veel software zou moeten leiden tot veel fouten. Gelukkig valt dit wel mee omdat we veel tijd en moeite steken om veel voorkomende fouten te voorkomen. Het plaatje hiernaast geeft deze ontwikkeling weer. Slimmer werken leidt tot minder fouten en dat is in dit geval ook zo. Het is echter niet realistisch om te verwachten dat we ooit in staat zijn om foutloze software te ontwikkelen, helaas.
Dit betekent dat er een groot belang is om zo goed mogelijk met dit feit om te gaan om mogelijke schade en misbruik te voorkomen.
In het niet zo verre verleden werden updates beschikbaar gemaakt op het moment dat zij "klaar" waren voor installatie door onze gebruikers. In de praktijk komt de installatie van deze updates neer op de beheerder van de IT omgeving. En dat kan iedereen zijn afhankelijk van het gebruik van de software. De onvoorspelbaarheid heeft vaak geleid dat een update helemaal niet werd geinstalleerd omdat met het domweg te druk had of is vergeten. Dat is jammer met name omdat misbruik van kwetsbaarheden in Software regelmatig wordt gebruikt om misbruik te maken van argeloze gebruikers.
Voor misdadigers is dit een echte groeimarkt. (Overigens wordt nog steeds het meeste misbruik gemaakt van de gebruiker achter de PC ... Het blijkt nog steeds vrij simpel te zijn gebruikers te verleiden allerlei software te laten installeren door simpele handelingen uit te voeren zoals bijvoorbeeld het klikken op attachments. Leve de Social Engineering !!!!)
In antwoord op dit fenomeen is Microsoft geruime tijd geleden begonnen met Patch Tuesday. Elke 2e dinsdag van de maand wordt gebruikt om nieuwe updates & patches voor onze software uit te brengen. Op de 1e donderdag van de maand wordt bekend gemaakt hoeveel updates en voor welke produkten e.e.a. beschikbaar komt. Dit maakt het voor IT afdelingen veel makkelijker om het werk in te plannen en leidt uiteindelijk tot een hoger gebruik van de update.
Nadeel van deze aanpak is dat updates al eerder klaar kunnen zijn maar niet worden verspreid. Dit risico wordt zorgvuldig afgewogen en indien noodzakelijk kunnen we tussentijds toch nog een update vrijgeven (is pas 2 maal voorgekomen).
Voor consumenten geldt dat het absoluut is aan te raden om het volgende te doen :
- Gebruik de automatische update funktie van Windows om up to date te blijven
- Gebruik een goede Virus & Antispyware scanner
- Gebruik een firewall op je verbinding met Internet
- Denk na wat je doet ... Klikken op attachments of het bezoeken van "vreemde" websites... tja.... En natuurlijk wil ik graag je creditcardnummer weten, toch ?
Als je meer wilt weten, lees dan ook eens : http://blogs.technet.com/security/
Ruud
Afgelopen week is de eerste Master Class van start gegaan als onderdeel van het Lead Enterprise Architect Program (LEAP) 2007-2008
.
LEAP is een lokaal initiatief van Microsoft Nederland waarbij Enterprise Architecten worden meegenomen op een reis langs de verschillende aspecten rondom IT architectuur en Microsoft technologie.
Een aantal jaren geleden is Dik Bijl gestart met dit programma en met behulp van vele Microsoft collega's en partners is het programma uitgegroeid tot een uitgebreid programma waarbij partners en klanten samen werken aan een beter kennisniveau rondom architectuur en Microsoft Technologie.
Hoe werkt dit nu ... De komende weken zal ik verslag doen van mijn ervaringen als facilitator bij 1 van de huidige LEAP groepen. Let wel ... Ik doe verslag van mijn beeld en dat verdient vast aanvullingen (en ik weet zeker dat mijn collega's in hun blogs mij vast gaan corrigeren hahaha !!!!)
LEAP bestaat uit een serie van 5 Master Classes gevolgd door een bijeenkomst in Redmond in de VS. Tijdens elke Master Class wordt 1 onderwerp bij de horens gepakt. Master Class 2 heeft bijvoorbeeld als onderwerp : Enterprise Information Provisioning.
De LEAP deelnemers worden in vaste groepen ingedeeld en gaan voor (ja ... huiswerk) en tijdens de Master Class zelf aan het werk. Na presentatie tussen de groepen onderling, volgt een presentatie van een mogelijke oplossing door een Microsoftie. Natuurlijk is er ruimte van discussie want (ook) in de IT Architectuur geldt dat er altijd meerdere oplossingen mogelijk zijn :-).
E.e.a. wordt afgesloten met een diner en veel onderlinge interactie.
De volgende video clip geeft een impressie hoe het er aan toe gaat :
Video: LEAP 2007-2008 Master Class 1
(Met dank aan Gerard Verbrugge voor het camera werk).
Gedurende de komende maanden volgen er nog 4 Master Classes (totaal is dus 5) in het Microsoft Innovation Center in Barneveld. In januari 2008 gaan we met ca. 210 LEAP deelnemers naar de US voor een afsluitend programma met de top architecten van Microsoft. Heb je vragen of opmerkingen over LEAP, laat deze dan achter als comment of mail me op ruudj$microsoft.com ($=@).
Natuurlijk valt er nog veel meer te vertellen over LEAP, maar dat komt vast nog wel in mijn verslag van de volgende 4 sessies en de Redmond trip.
Ruud
The 2007 Microsoft SOA & Business Process Conference is only six weeks away! During 4 days of breakout sessions, chalk talk discussions, hands-on-labs, peer networking, social events, and interaction with the Microsoft product groups you will learn about both Microsoft’s current portfolio and long-term strategy for SOA & Business Process initiatives. Whether you are a developer, architect, or business decision maker we will have something for you with tracks spanning the full spectrum of technology, architecture, and business value topics. Every session at the conference is focused on providing Real World guidance based on proven practices and solutions.
What You Can Expect
- Keynote Sessions by Senior Microsoft Executives and Technical Leaders
- Over 60 Breakout Sessions
- Hand-On-Labs
- Customer Case-Studies & Roundtables
- Community Birds of a Feather Reception
- Ask The Experts Reception
- Partner Expo
- Discounted pre/post conference training
Registration is filling up fast so check out the details below and register at the conference website
Please direct any questions including press, analyst and sponsor inquiries to MicrosoftEvents@DynamicEvents.com.
Keynote Speakers
Don Ferguson
Technical Fellow, Office of the CTO, Microsoft Corp.
Dr. Donald Ferguson is a Microsoft Technical Fellow in Platforms and Strategy in the Office of the CTO. Don focuses on both the evolutionary and revolutionary role of information technology in business. Microsoft expects that Don will be involved in a variety of forward-looking projects.
Prior to joining Microsoft, Don was an IBM Fellow and Chief Architect for IBM’s Software Group (SWG). Don provided overall technical leadership for WebSphere, Tivoli, DB2, Rational and Lotus products. He also chaired the SWG Architecture Board (SWG AB). The SWG AB focused on product integration, cross-product initiatives and emerging technology. Some of the public focus areas were Web services, patterns, Web 2.0 and business driven development. Don guided IBM’s strategy and architecture for SOA and Web services, and co-authored many of the initial Web service specifications.
Don’s primary hobby is martial arts, specifically Kenpo Karate. He earned his black belt in December, 2005.
Robert Wahbe
Corporate Vice President, Connected Systems Division, Microsoft Corp.
As corporate vice president for the Connected Systems Division at Microsoft Corp., Robert Wahbe leads the team responsible for Microsoft’s service-oriented architecture and Web services platform. His key product responsibilities include Microsoft BizTalk Server, Windows Server Active Directory, Microsoft Certificate Lifecycle Manager, and the wide array of distributed system technologies available in Windows and Microsoft .NET Framework 3.0. Through these efforts, Wahbe leads the Connected Systems Division’s efforts to make it substantially easier to build, deploy and manage distributed applications.
Since joining Microsoft in 1996, Wahbe has served in a number of product development roles with a focus on enterprise development tools in Visual Studio. In 2000 he co-founded the team chartered to deliver Web services and the Windows Communication Foundation; out of this grew the Connected Systems Division.
Before joining Microsoft, Wahbe was co-founder of Colusa Software Inc., a privately held software company acquired by Microsoft in 1996. Wahbe graduated in 1992 from the University of California, Berkeley.
Content Tracks
SOA & Business Process issues reach across the entire organization from developers service enabling existing investments to architects recommending IT standards to business analysts optimizing processes and business owners investing in their IT portfolios. The Microsoft SOA & Business Process Conference will provide guidance across this spectrum through tracks focused on Solution Architecture, Infrastructure Architecture and Business Value.
Frameworks & Tools
The Frameworks & Tools track will provide details on the broad portfolio of SOA and business process tools and technologies available from Microsoft and its partner ecosystem. You can expect sessions on everything from the new designers coming in Visual Studio “Orcas” to the wide array of offerings from our SOA & Business Process Alliance partners. You will also see how to leverage new tools in the .NET Framework, BizTalk Server 2006 R2, Office System 2007, System Center, and others.
Solution Architecture
The Solution Architecture track will focus on the design and implementation of service oriented and business process solutions. We will provide best practices and proven patterns for handling challenges with many aspects of solution architecture including: data, identity, user experience, messaging, workflow, and rules. We will also focus on key capabilities such as service and process analysis and design, service enablement, service composition, process modeling, service instrumentation, service & process lifecycle management and others.
Infrastructure Architecture
The Infrastructure Architecture track will focus on the organizational and technical issues faced when planning and establishing service oriented and business process infrastructures in the enterprise. We will provide guidance and best practices on topics ranging from designing and implementing shared infrastructure for service and process management to overcoming cultural challenges when defining standard governance processes. We will also focus on key infrastructure capabilities such as service virtualization, SLA management, policy enforcement, service and process monitoring, governing service consumption and others.
Business Value
The Business Value track will focus on issues ranging from business capability analysis to establishing a SOA roadmap to defining metrics to measure your return on investment. We will provide case studies and guidance to ensure your SOA and business process initiatives demonstrate value quickly and stay focused on business goals. Whether you are a partner practice manager evaluating the business opportunity of SOA and business process or an enterprise decision maker evaluating the potential return on investment of your SOA/BPM initiatives, the Business Value track is for you.
Breakout Session List
Anatomy & Business Value of BPM Solutions
Full-Lifecycle BPM: Process Modeling, Execution, and Implementation in the Microsoft Ecosystem
Driving Value and Alignment Across IT and Business through Business Architecture
Implementing Decision Services in a SOA Infrastructure: Disease Identification Case Study
Enhance the Power of BPM with Workflow and Business Rules
From Shopping Cart to Delivery: Comprehensive Order Lifecycle Management on the Microsoft Platform
Extending the Reach of ERP Solutions through SOA & BPM
Legacy Modernization Best Practices
Lessons Learned from Implementing Multi-Channel B2B Services
Architecture of the Microsoft ESB Guidance
Building Solutions with the Microsoft ESB Guidance
Architecting a Real World Business Process: Loose Coupling and Best of Breed Technology Selection
Facilitating SOA Roadmap Discussions using the Microsoft SOA Maturity Model for Application Platform Optimization (SOAMM)
Aligning, Planning, and Delivering Enterprise Service Oriented Architecture: Microsoft IT Case Study
Driving Successful SOA Platform Conversations with the Microsoft Customer Engagement Solutions
From IT Agility to Business Agility: Deliver Business enabled SOA and New Level of People-Driven Operational Excellence with A Modern BPMS
Industrialized Service Delivery Platforms: Today and Tomorrow
Internet Service Bus: Service Connectivity at Internet Scale
SOA in Banking: Building a Roadmap
Carrier Grade BizTalk: Lessons Learned from a Mission Critical SOA Solution
SOA in the Commercial Sector: Overcoming Challenging LOB Issues in Manufacturing, Retail, and Financial Services
Healthcare Enterprise Integration: Examining the Impact of SOA & BPM on Healthcare Initiatives
Building and Evolving a SOA Solution in a Rapidly Changing Business Environment: A Case Study in Agility
Connecting the Digital and Physical Worlds through RFID and SOA
Designing a Flexible Governance Infrastructure
SOA Governance and the Microsoft Ecosystem
Service Integrity: Using Visual Studio Team System to Deliver the Right Services at the Right Time
Service Lifecycle Management: Overcoming Challenges in Managing the Provider/Consumer Relationship
Building a Service Monitoring Infrastructure with BizTalk Business Activity Monitoring
Gaining Control of Your SOA: Management and Visibility of Your Services
Defining and Measuring Service Levels in Distributed Systems
Service Virtualization with .NET and BizTalk Server
Building Composite Applications on the Office Platform: A Loan Origination Case Study
Microsoft Excel: Software + Services Made Real Today
The Human-Facing SOA: Realizing the Value of Process and Services with Microsoft Office SharePoint Server
User Experience Today: An Architectural Perspective of Silverlight, AJAX, and ASP.NET
Building Service Oriented UI using Smart Client Software Factory and Acropolis
Demystifying Identity for Developers
Interoperability of .NET and WebSphere: .NET Stock Trader Reference Application
Comparing and Contrasting .NET and J2EE Programming Models
Integrating EJB, JMS and CORBA Assets with BizTalk Server 2006 R2
Real World Interoperability with WCF
Web Service Software Factory: Driving Consistency and Best Practices into Your Service Design
Choosing Between BizTalk Server and Windows Workflow Foundation
Robust Error Handling for BizTalk Solutions
BizTalk Adapters for WCF
Reliable Messaging on the Microsoft Platform
Building HIPAA Solutions with BizTalk Server 2006 R2
Unifying Line of Business Integration: Introducing the .NET LOB Adapter SDK
Best Practices for Testing BizTalk Solutions
Best Practices for Creating Composite Activities in WF
BizTalk Server Advanced Orchestration Concepts
Discounted Training Offers for Conference Attendees
We are pleased to announce discounted training offers from our training partners QuickLearn and PluralSight. These courses have been scheduled to run either immediately before or after the conference in an effort to maximize your travel investment and provide as many learning opportunities as possible. You can find course schedules and links to the training partner sites with more details on the contents, price and style of each offering on the conference website.
Sponsors & Exhibitors
Sponsorship and exhibition opportunities including expo booths, general sessions, and co-branding are available to partners to showcase their latest solutions and innovation allowing attendees to test-drive key technologies and receive one-on-one, informed answers to questions. If you are interested in sponsorship, please email MicrosoftEvents@DynamicEvents.com.
©2007 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement
This site hosted for Microsoft by Dynamic Events MicrosoftEvents@DynamicEvents.com