News Stay informed about the latest enterprise technology news and product updates.

Microsoft's new security boss envisions hands-on role

Ben Fathi, the new face of Trustworthy Computing at Microsoft, expects to get more involved in security design and development.

Microsoft's newest top cop plans on getting his hands dirty. Ben Fathi, recently named chief of Microsoft's Security Technology Unit, said he is ready to jump into design and development to push forward the company's security offerings.

A corporate vice president at Microsoft, Fathi is replacing Mike Nash, Microsoft's high-profile security guru who left on sabbatical. Although storage, file protocols and high-availability clustering had been Fathi's focal points when he was a general manager of the Windows Server division, he said he is relishing this new challenge. Fathi was at TechEd in Boston last week talking with about how he will put his imprint on Microsoft security. How did you find your way from storage products to the top of the Trustworthy Computing Initiative?

Ben Fathi: Last year I decided that all of the projects I'd started in the last eight years in storage were pretty much over. I talked to Jim Allchin [Microsoft's co-president of the platforms and services division] and said to him that this might be a good time for a change. Roughly at the same time, Mike Nash [former corporate vice president of the Security Technology Unit] was thinking the same thing about his new role. I went on sabbatical, came back, and Jim said, 'How about security? We've got a really interesting, challenging situation that you could jump in and help with,' and I said OK, sounds interesting. Mike Nash took so many of those early arrows around security. How do you think your tenure in this job will differ from his?

Fathi: If you look at where we were four years ago and where we are today, we've certainly turned the corner. We've really come a long way. One of the things that Mike did really well was delivering Microsoft's message on security and being the visible face of security in the industry and with the press. I love getting my hands dirty, getting involved with the designs and looking forward to what we want to do. I'll be very hands-on with the design and development of future security-related stuff. But will you still have some public profile with the security community?

Fathi: We have webcasts. We have community chats. We have participation in Black Hat, and [we're] bringing in the Blue Hat conference. None of that is going to change. What I do want to do is get some of the people who work with me -- like Scott Charney, vice president of Trustworthy Computing -- more involved. I have people working for me who run the various development groups. I'm going to give them the opportunity to step up and do some of these community chats [and other activities]. Can you secure software as a service in the same way you secure desktop software? How do you do that?

Fathi: There're a couple of ways. We believe in SDL, first and foremost -- the Security Development Lifecycle. We have people assigned to work with each of the development teams to look at threat modeling. If you start earlier in the development cycle, you do have the time to do that, to apply the security guidelines to it.

We're not only looking at providing a secure platform but providing defense and depth to our products. That's how you provide things like fixes to vulnerabilities through a service. Look at the automatic updates that everyone has turned on today. That's a service to us. We're updating it every month. We're sending bug fixes down. We're sending security improvements to our components so we're already in this world. We're already taking this process to the next step. And this just will evolve as we go to a services environment. Are you happy with the Patch Tuesday process? Any changes in the works?

Fathi: I am happy with Patch Tuesday. The feedback [from customers] we have is that they like having a regular monthly set of patches – knowing exactly when it comes, having the communication around -- that a week earlier we send out an advisory. Overall, I think we've come a long way from a couple of years ago where it was really ad hoc.

This article originally appeared on

Dig Deeper on Building security into the SDLC (Software development life cycle)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.