Notes from a Big Island
I am currently on my way back (this post was started on a plane) from a superb two weeks in Redmond meeting with my team and other folks in various parts of Microsoft. There is just so much cool stuff going on and in the plans that it’s hard to know where to start. I’ll just brain dump.
People
I had dinner with David Endler in Austin. Dave was one of the original OWASP founders while he ran iDefense. We had been cyber-buddies for years, met briefly at BlackHat in Vegas a few years back but we finally got to sit down and have dinner. I have to be honest, after having such a good relationship with someone over email for such a long period of time you sometimes wonder if meeting in person will ruin a good thing. Not a chance. What a great bloke. We reminisced over some nice wine about the original people who started and worked really hard to birth OWASP; people like Ingo Struck, Steve Taylor and Dennis Groves; we laughed at how everyone now claims to have been a founder; discussed the success and how well Jeff Williams and crew have grown the project and chatted about the possible future which we both think is at a real critical point.
I also had dinner last week with Mike De Libero. I met Mike though OWASP and he’s the guy who helped fix some “shitake” code in a prototype written by a so called security developer that contained XSS holes and more. First time I met him in person and a fantastic guy! We chatted about the roles of test and security in organizations, a lot about OWASP and the direction we hope it takes (and doesn’t) and much more.
I had coffee with Frank Heidt. Frank is a super smart really nice guy who used to do code review and development work for us when I was at Schwab.
I had a cup of tea at Mike Howards new pad in Austin and had the pleasure of bumping into an old work colleague from ISS days, Gary Geddes. Howard, you make the worse tea in the world!
I had coffee with James Whittaker; actually I met both James Whittakers, the first was confused why I asked for coffee with him and turned up in his office to start talking about mutual friends, only to find out it after 30 secs it was the wrong James Whittaker! I had coffee with Adam Shostack and had the pleasure of having my dignity handed to me on the foosball table by my good friend JD Meier. Every time I meet JD I learn valuable nuggets. This time I learnt that the key tenants for innovation are biz value, user experience and technical feasibility.
I have met people who run the gov security programs that facilitate source code to governments, met with folks who run the global security advisors program and much, much more like my friend Brendon Lynch who works on global privacy outreach. I met with Microsofts representatives on the PCI security advisory board and discussed ways to constructively influence PCI. If I get one more patronizing email from the PCI cheerleaders who read this blog suggesting I need to take PCI training to understand it (hint: I do that’s why I and all people that I respect know it’s so badly broken) I am going to flip out and start getting really personal! The fact that you guys send me these patronizing mails should be encouraged. I have a private mailing list going laughing at you all and some of the people on it are your customers 
Next time you do some QSV work see if the customer can stare you in the face scan jockies!
And of course I met my team. I am not going to name anyone individually for fear of missing anyone out but I am so glad I joined this team and specifically these folks. There is a real humble team of people doing some really great work (see below) who are super smart and just nice to work with. People have been so welcoming, so helpful and have just made me feel part of team. The ACE Team are in Redmond town centre which is off of the main campus. There are some games studio folks around our buildings, lots of IT people and obviously development people.
The ACE Team is part of Microsoft IT and a part of Microsoft’s Corporate Information Security department called ISIS. ACE stands for Application Consulting and Engineering and the value proposition is that we are responsible for security Microsoft’s line of business (LOB) applications i.e. we secure the business apps we build ourselves. We have four key areas within the team (of about 100 people spread all across the world), ACE Security implements the SDL-IT, a process for building secure LOB apps in-house (including threat modeling and code review), ACE Engineering build tools and tech to help us all do our jobs, ACE Performance do performance and reliability consulting and ACE services who take the experience gained securing one of the most heavily attacked environments on earth out to customers. I have two roles in ACE; the first is to build and run a team of ACE Services in Europe (and as far out as Russia) working with customers to share the knowledge, tools and experience that we have developed since 2001: the second if to oversee the Oxygen Security Platform come alive. There has been some press interest in Oxygen and while we are not ready to talk about what we are doing yet, I can say that we are building it first to run inside Microsoft and power parts of the Microsoft Corporate Information security program and will be working with some early adopters to take the technology to the field. One of the reasons I joined ACE was for the dog-fooding. Too many people build ivory tower solutions that don’t work in the real world or are fine in theory but in practice don’t cut it.
