Microsoft Security Guru Explains His Take on Security

“What is it that makes security hard?” Is a rhetoric question that Microsoft security expert Michael Howard has asked on his blog. The title he proposes for himself is “A Simple Software Security Guy at Microsoft!” But that is obviously  not the case. “Writing Secure Code” is perhaps his best known book, but not the only […]

What is it that makes security hard?” Is a rhetoric question that Microsoft security expert Michael Howard has asked on his blog. The title he proposes for himself is “A Simple Software Security Guy at Microsoft!” But that is obviously  not the case. “Writing Secure Code” is perhaps his best known book, but not the only one covering security issues.

Now Howard proposed an answer for a question that he heard over and over again, just under different forms: “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or his favorite variant, “what the heck keeps you interested in security when it seems you’re fighting a ‘no-win’ battle?”

Howard sees to aspects that constitute the difficult side of security. “Scalability and reliability issues are man-vs-machine and machines are stupid. Security is man-vs-man and humans are intelligent,” said Howard.

The difference is that on one side there is no contest, while the other raises the most complex changeless. At the basis of this status quo is the fact that there is no example of perfect, foolproof code.

“This security stuff is an ongoing arms race and chess game, and each side is constantly trying to outwit the other. We raise the bar, and the attackers then spend time trying to defeat that bar. So we raise the bar again, and so on. With reliability and scalability, we can understand the “adversary” and that’s that. The "enemy" won’t adapt to defeat you,” Howard added.

As you can see, Howard has a different take on the matter. While it is generally believed that security is one step behind cybercrime, according to Howard, attackers simply adapt to increasing standards of security.

“To be honest, it’s this on-going intellectual battle that keeps me coming back to security, but it also means that no-one will ever build 100% secure computer products and this why we update the Security Development Lifecycle (SDL) twice a year as we learn new attack and defense techniques,”

MSDN Blog

Microsoft, Security, Article, Michael Howard