Software Security at Microsoft: ACE Team Tour, Part 2

Posted By: Duncan Mackenzie | Oct 23rd, 2006 @ 9:49 PM | 12,830 Views | 2 Comments

The Application Consulting & Engineering team (ACE Team) is chartered to assess all Microsoft line of business applications for security and privacy vulnerabilities. Security Technologist manager Shawn Veney, speaks eloquently about what it takes to conduct security assessments, and what’s behind our security philosophy. Robert Scoble conducts the interview.

Part 1
Part 3
Media Downloads:
Rating:
0
0
#Oct 26th, 2006 @ 6:04 PM
jason818_253.33
jason818_253.33
Yippi skippy

Presenting a sword fight as a real world example is a nice touch. Most don’t even realize they program, as defined by social engineering. Every one does it. Have you ever asked some one to pass you the salt? Have you asked the person at the front desk to page an interviewer? Managers, politicians, rock stars are often times excellent social engineers. Marketers are expert at program engineering. They are able to send sweeping memes across the social landscape. Gucci, Levis, Viagra, all have similar items on the market that can be bought for cheaper. Society at large buy into purchasing more expensive name brand items because they have been programmed to believe there is an advantage to consuming items with a brand name. What is more influential, being able to program the human mind and social contiousness or a computer filled with wires and silicone? I don’t know. But it’s a great interview that got me thinking.

#Dec 28th, 2006 @ 2:44 PM
shawn_aceteam
shawn_aceteam
If we had free food I bet more than a quarter of our employees would live on campus :)
Thanks Jason; I thought it might be interesting. I taught martial arts for a few years and studied for more than a few years. There are a great many parallels or simularities between what I learned in the martial arts and the military that lend themselves to security (even in the IT centric security world). Perhaps even more importantly in IT because over the years I have noticed how easy it is for IT folk to over focus on the technology and forget about the people and process that utilize said technology. A lot of simple, low cost tactics get overlooked when we focus too heavily on the technology; now granted, some of those low cost techniques can often be riskier to the attacker... but overall? Still pretty easy in most cases to break the people before the technology for a targeted attack.

I have seen many investments in technology that were not equally supported by commensurate investments in the people or processes associated to that technology. In such scenarios you end up with a very unbalance triad.

Wink
Microsoft Communities