[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Microsoft Security Guru Leaves Post


By Dennis Fisher
December 23, 2002 

Scott Culp, the man responsible for Microsoft Corp.'s security
response efforts, has left his post and moved to a new position within
the company's Security Strategy Group.

As manager of the Microsoft Security Response Center, Culp has been
the public face of the software giant's efforts to respond to security
problems in its products and improve its image within the security
community. During his five years in the MSRC, Culp played a large role
in the development of Microsoft's procedure for handling
vulnerabilities, dealing with security researchers and getting patches
and information out to customers.

In his new role as a program manager for security strategies, Culp
will be working on security projects across the company's product
portfolio. He'll be working under Scott Charney, the chief security
strategist at Microsoft, based in Redmond, Wash.

"I'm proud to [have] played a role in building a high-quality program
for responding to security issues in Microsoft products and helping
our customers keep their systems secure," Culp said. "With Microsoft's
increased focus on improving the security of its products through our
Trustworthy Computing Initiative, I now am ready to try something new
and and put my security experience to use in a new role at the

Steve Lipner, director of security assurance, will still be
responsible for the overall workings of the MSRC.

Culp was the driving force behind Microsoft's current attitude toward
the responsible handling of software vulnerabilities and the
researchers and crackers who find them. In a widely read article he
posted to Microsoft's security Web site in the fall of 2001, Culp
denounced what he saw as the irresponsible publication by some in the
security community of vulnerability data and exploit code before
vendors have a chance to release patches for the issues.

"It's high time the security community stopped providing blueprints
for building these [worms and viruses]. And it's high time computer
users insisted that the security community live up to its obligation
to protect them," Culp wrote in the article. "We can and should
discuss security vulnerabilities, but we should be smart, prudent, and
responsible in the way we do it. If we can't eliminate all security
vulnerabilities, then it becomes all the more critical that we handle
them carefully and responsibly when they're found. Yet much of the
security community handles them in a way that fairly guarantees their
use, by following a practice that's best described as information
anarchy. This is the practice of deliberately publishing explicit,
step-by-step instructions for exploiting security vulnerabilities,
without regard for how the information may be used."

The paper drew strong reactions from people on both sides of the
debate, with some researchers dismissing it as self-serving rhetoric
designed to scare people away from looking for flaws in Microsoft
products. Still, many in the security community say Culp make the most
of a difficult, often thankless job.

"Probably the most sensible thing Microsoft has done recently on the
security front is to convince Scott Culp to move over to the
relatively new group known as the Trustworthy Computing Initiative.  
Scott has a rare combination of skills for the security world; he's
not a programmer, and he is able to speak to people without making
them hate him," said Russ Cooper, surgeon general of TruSecure Corp.,
in Herndon, Va., and moderator of the NTBugTraq mailing list, who has
often been at odds with Culp on security issues. "Combined, Scott has
been very effective at gaining consensus within Microsoft on how to
better handle security issues when they arise, and over the past four
years has been very influential in effecting changes to the mindsets
of product managers - making them appreciate the value of doing this
correctly. In his new position Scott will, hopefully, have more time
and status to effect further changes. Now if we can only get him to go
after those folks in Windows Update more fervently."

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.