Software Security == People && Process && Technology

Mark Curphey here. I run the Subscriptions Engineering Team in Server & Tools Online, where we build complex customer facing web sites like MSDN and TechNet, supporting millions of users. For the last 15 years, I have always held security roles, most recently heading up the Information Security Tools team here at Microsoft, where we were best known for building static code analysis tools and web protection libraries for managed code.

One of the great things about working at Microsoft is that you get a chance to find the place where you can have the biggest impact across the company. At the end of last year, I sat down with my boss (the CISO of Microsoft) and told him that I wanted to explore my passion for web engineering, UX, and development practices. He was completely supportive but told me that I had to first write down everything I had learned about security on one page. If that sounds easy I will remind you of BlaisePascal‘s comment (I paraphrase): “I apologize that this letter is so long – I lacked the time to make it short.” After several days, several pens, and numerous whiteboard revisions, I finally got back to a simple Venn diagram that I first saw when I left college (and a set of accompanying notes).

clip_image002 clip_image004

A few weeks ago I got an opportunity to go to Argentina to speak at the inaugural BlueHat conference in South America and I decided to base my talk around the slides I had put together for my boss. I wanted to deliver the message that you have to have People && Process && Technology in order to run a sustainable and scalable software security program.

BlueHat was a great experience. As well as enjoying the country and culture (tango, anyone?) and getting to chow down on some great food, I got a chance to meet a few people that I had e-mailed with and followed for years. Much of what I spoke about circled back to the simple fact that software risk management is a combination of People, Process and Technology and that at Microsoft, we have a great scalable story around process called the Security Development Lifecycle (SDL).

I spoke about how Agile development practices are already mainstream. Despite some popular misconceptions in order to be an effective Agile team you need to be disciplined, which actually plays in well to thinking about security.

Before the presentations, two developers worked with me, exploring if it was possible to build a front end to the OSVD in a way that we could overlay interesting data points such as significant changes to development frameworks or significant hacks. Unfortunately, we discovered that the data is simply not out there on the Web (or at least not in a form that we could economically digest).

This led to a discussion at the conference about metrics and data. Just why aren’t software security people obsessed by statistics and “Freakonomics”? In order to find cause and effect, we need to get better at capturing relevant data and using it to drive informed decisions.

I also spoke about how architecture matters even though it is not always a trendy topic, and zoomed out on a high-resolution image of a sandcastle to illustrate the point that when you look at architecture at a micro level you often think things are fine but when you understand the context you may well have a different view.

The architectural patterns from Joey Yoder are always fantastic to reference and highly applicable to why architecture affects security in so many ways.

  1. Big Balls of Mud – (a.k.a., Shantytown, Spaghetti Code)

  2. Throwaway Code – (a.k.a., Quick Hack, Kleenex Code, Disposable Code, Scripting, Killer Demo, Permanent Prototype, Boomtown)

  3. Piecemeal Growth – (a.k.a., Urban Sprawl, Iterative-Incremental Development)

  4. Keep It Working – (a.k.a., Vitality, Baby Steps, Daily Build, First Do No Harm)

  5. Sweep It Under the Carpet – (a.k.a., Chernobyl, Housecleaning, Pretty Face, Quarantine, Hiding it Under the Bed, Rehabilitation)

  6. Reconstruction – (a.k.a., Total Rewrite, Demolition, Plan to Throw One Away, Start Over)

* Foote and Yoder –

BlueHat is a great way for us to learn from security researchers and customers and for us to share our learning.

After 15 years in the business, my elevator pitch really is that software security is all about People, Process and Technology.

Take care!

– Mark



*Postings are provided “AS IS” with no warranties, and confers no rights.*