Jonathan Ness
Security guard
Behind the scenes at Microsoft’s
Secure Windows Initiative
Microsoft’s secure windows initiative unit has emerged from
the shadows, promising a new
level of transparency, as well as
details of software vulnerabilities
and security bulletins.
SWI, tasked with maintaining and managing all
aspects of Microsoft’s mandatory SDL (Security Development Lifecycle), has launched a new blog that provides
customers with technical details on security vulner-
abilities, mitigations and idays in 2002, I read the
workarounds. second edition of [Micro-eWeek Security Watch soft Senior Security Pro-
Editor Ryan Naraine re- gram Manager] Michael
cently spoke with Jona- Howard’s “Writing Secure
than Ness, the lead soft- Code” from cover to cover.
waresecurityengineer on I was working in the
the SWI Defense team, military at the time, and,
about how software vul- after going line by line over
nerabilities are rated, the 600 pages in the book,
what goes on behind the I decided on a whim to
scenes after a security apply to Microsoft to work
vulnerability is reported, on [Howard’s] team. I went
and the ups and downs of through the interview loop, I work on one of the peer make sure we’re offer-
working with third-party and here I am on the SWI teams—SWI Defense— ing the right guidance
researchers. team, working at Microsoft that focus specifically on for customers, whether
creating mitigations and it’s a workaround before a
workarounds for vulner- patch is released or product-
‘If we think something we abilities. specific mitigations in the
put on the blog could actually We work directly with bulletins.
help an attacker, [we won’t the MSRC [Microsoft Se- There are other teams curity Response Center] within SWI that we work
release] the information.’ and the product teams to alongside. SWI React, for
reproduce vulnerabilities, example, is a peer team
create and test temporary that’s responsible for find-
What’s your background? because of that book. workarounds, and help ing vulnerabilities that may
How did you end up at with rating the severity be related to an externally
Microsoft? What’s your role within of a security issue. reported issue. They build
During the Christmas hol- SWI? We a l w a y s w a n t t o [CON TINUED ON PAGE 50]
