Security Adviser | Roger A. Grimes » I'm going to work for Microsoft

February 20, 2007 | Comments: (0)

I'm going to work for Microsoft

TAGS: None

I've decided to join Microsoft's ACE Team as a senior security consultant.

Although most of my Linux and Apple zealot readers have long considered me a Microsoft employee already, I've just accepted a senior security consultant position with Microsoft's Application Consulting Engineering (ACE) Team. You can read the ACE blog here.

And I could not be more excited. Many of my trusted friends and acquaintances who taught me much through the years, like Brett Hill, Bill Boswell, and Mark Russinovich, have proceded me. I'm not worthy, I'm not worthy...

Having been a 20-year Windows security veteran, my new role is a natural fit. And I love the team, and the bosses are cool. Everyone is very committed to making software and infrastructure more secure. The team comes from around the world, with various levels of expertise in different fields. I thought I'd be bringing my "unique" Linux and OpenBSD experience to the team, but it turns out that many of my team members know even more about both topics than do I. I always think knowing both worlds makes a better security consulant.

I'll be writing a column on my new job soon. First though, another column I'm writing on DDoS attacks, is being published this week. I will always let my passions drive the column content. And right now, I'm more fired up about DDoS attacks, and the lack of good defenses than I am by anything else.

What does that mean for my blog and the column overall? Am I going borg'd? Will it only contain Windows positive articles?

No, of course not. Like a lot of the other Microsoft employees, we all have our own opinions. And although many readers might be surprised, the harshest critics of Microsoft security I hear, are MVPs and Microsoft employees. The the most heated flame wars and name calling (well, maybe not name calling) come in private Microsoft security forums where people feel more protected to state strong opinions. If you don't believe me, email any Microsoft MVP to confirm.

While my own column has regularly supported Microsoft on many topics (IE 7, Vista, IIS 6, etc.), it's also pointed out flaws and concerns. I was among the first who blogged about the new MSN banner ad exploit. My New Year's resolution proposal was for my readers to learn OpenBSD (not Vista). Just because I point out that IIS 6 has only had 3 reported vulnerabilities to Apache's 33, in the same time period, and that Microsoft is doing a better job overall on security, does not make me borg. I think it makes me balanced. I frequently have called OpenBSD the most secure OS on the planet, in the same columns.

It is my hope that this column continues to focus, as it has always done, more on computer security in general, than on a particular vendor or product. After 20 years of computer security experience, I'm a computer security skeptic. I don't completely trust any of the computer defense products! I am the reader's advocate and I spend my time trying to decipher between what is and isn't real in vendor attestations. It's that role, and bringing to light pressing computer security concerns (e.g. banking trojans, DDoS attacks, identity theft statistics, spam, etc.) that this column will continue to focus on.

On the same hand, I will absolutely be developing more Microsoft Windows security content in my new job. It's my hope to provide more comprehensive analysis, documentation, and practical recommendations, and share that with readers. I don't think that is a bad thing as 90% of the world's desktops run Microsoft Windows. However, Microsoft-only content will probably be done on the ACE team blog, but I'll have links in this blog to content I think is important to share with readers.

Posted by Roger Grimes on February 20, 2007 06:44 AM

RATE THIS ARTICLE: