Interview with Medvedev. About security.

Last week, Ivan Medvedev came to Moscow - the most prominent Russian-speaking security specialist at Microsoft. At the Software Engineering Conference (Russia) 2008, he talked about the Security Development Lifecycle (SDL), a cult for company developers. Under this name, in a broad sense, hides a universal platform-independent methodology and a set of security tools in the development of software projects.

Since 2004, work on SDL is required for all Microsoft product groups; in 2006 a book was written about him (which, by the way, they want to translate into Russian); Since 2007, starting with version 3.2, the SDL is moving to the masses - Microsoft advises everyone to work on it. What it has the moral right to do, because in 5 minutes on the Internet you can dig up a whole bunch of reviews about SDL, as the most advanced safe development mechanism.

To my satisfaction, I managed to communicate with Ivan within the walls of the Moscow office of Microsoft. As always, when meeting with an employee of this company, I wanted to ask him about a hundred things. But, as always, again, it turned out that he was just a passionate person who had little to do with all those chilling stories about a corporation with which IT parents scared their children.


Ivan, first I would like to talk about your biography. What is it like for a person with such a resounding Russian last name to work at Microsoft?
')
To work well. Like a Hindu, and a Chinese, and a European ( smiles ).

I have been at Microsoft for 9 years. In the last year and after graduating from the Faculty of VMIK of Moscow State University, he worked in Moscow for 2 years in a company that has a website with the interesting name Security.ru. I was there to encrypt IP streams.

Several people from my group during this time went abroad and spoke warmly about the working conditions there. And I also decided to try: I sent a resume to Microsoft and after a couple of months I was interviewed during one of their “recruiting trip”.

At first he was a developer in the CLR security test team, after a while he became a leader in it. And then I moved to the Secure Windows Initiative (SWI) team, where we dealt first with the security of Windows itself, and then of all products in general.

And what exactly are you working on now?

We do not have any timeline, we all work together on the SDL. Now I am heading the SWI Tools subgroup, we are doing internal corporate security research tools. Our last project is a software tool for threat modeling ( on threat modeling, Ivan also had a separate report at SEC® 2008 ).

Have you ever had a task to make a 100% secure system? Or from the very beginning everyone was ready to constantly release patches for vulnerabilities?

Of course, everyone wants absolute security. But in Microsoft, as in any other sensible company, they recognized and acknowledge that it is impossible to make such a system.

As for the patches, I can say that before the release of the software, there are much more vulnerabilities and closes than after it.

And what model of protection is more promising - hiding all the internals of the system according to the “black box” principle or is it still an open architecture, in which all defense mechanisms are known to the public?

The Security Through Obscurity model is definitely not working. Security cannot be achieved by hiding program code — this is a generally accepted principle. After all, finding an error in any protected system is only a matter of time.

But such models can work in two cases: if security needs to be provided temporarily (as in games, for example, that become obsolete and lose value very quickly), and if obfuscation is used as a protective tool - tangling the program code in such a way that is impossible.

Are the approaches to designing software that the company sells and uses itself?

Yes, they differ very much. SDL is also suitable for the development of internal software, it is quite versatile. But here we are talking about completely different threats. In our internal network, we are not particularly worried, for example, by viruses in Word document macros that are sent by mail. Or protection from "man with a flash drive." The human factor in the security of a company is not our competence. But it is very important, again, for example, the problem of privacy - the protection of documents of one employee from superfluous views.

When IE 7 came out, it had a slogan: “You talked to us about security issues. We heard you! ” Really heard?

I can say that they worked closely on security. Vulnerabilities in the seventh version became much less. Well, they followed the SDL ...

But interestingly, in the XBox team, do they work closely on security?

Well, at least I don’t know of any cases of viruses appearing on the XBox (smiles).

And in the Live team? (I myself smile the second provocative question in a row )

(speaks, putting words) Security has been paying a lot of attention to all Microsoft products.

In fact, each product undergoes a final security review process, and neglecting security in favor of speed or something else is simply not possible for development teams - we will not miss such a product.

Okay, what are your immediate plans?

In November, we will release a threat modeling tool. We will publish the SDL optimization methodology. And we will launch the SDL Pro program - we will attract 9 companies to the one-year pilot project, in which they will help everyone to implement SDL in their work.

In general, we will advise all software architects and top IT managers to pay attention to the SDL.