If hell hasn’t frozen over, then at least the temperature must have dropped a little on the news that cyber-security guru Adam Shostack is Joining Microsoft.
Most of the people in the circles he and I overlap in tend to speak derisively of Microsoft, but the reasons Shostack gives for signing on make Microsoft look pretty good,
Over the last few years, I’ve watched Microsoft embrace security. I’ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I’ve watched them produce results.
In making this decision, I’ve had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven’t even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft’s Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.
I realized just how many smart people are thinking about these questions at Microsoft, and I’m glad to be joining them
I just hope it won’t affect his blogging too much.