Mark Curphey here......
I am the Product Unit Manager (or "PUM" in MSFT speak) for the Connected Information Security Group or CISG. Welcome to our new team blog. We are a software development team of about 35 developers, program managers and testers that supports Microsoft's corporate information security program; itself part of Microsoft IT and I manage the team. We are responsible for designing and building software to support the information security program, a lot of which is or will be released to our customers and the public in general as well as being deployed for our own use. We have built and support a broad portfolio of technology ranging from identity management solutions, security scanning tools, threat modelling tools and development libraries and will be focusing on the security management space in FY09.
You will be hearing a lot more about what we think will be "the next big thing" and about big projects we are working on over the coming months but for the first month or so we plan to share our thoughts and plans to update the Anti-XSS library (and probably some associated tools).
This week well be posting introductions from the team working on Anti-XSS including developers, program managers and a UX designer. From next week onwards well launch into detailed posts on the project that will generally fit into three main categories;
Myself and the program managers will share information about how we organize projects, set up Visual Studio Team System to support our development, how we use AGILE and SCRUMM and other program management techniques to track our work as well as discussing the high level project design ideas and industry challenges. The developers themselves will share deep technical and code level thoughts and ideas on the problems they are tackling and our UX guy will explain our thoughts and plans around user experience including developing personas, UI and documentation.
In keeping with the introductions that will follow from other members of the Anti-XSS project team this week here is a short bio about me.
I graduated from Royal Holloway, University of London with a Masters degree in Information Security in the mid-nineties as a mature student; a little late to the party after a "misspent youth"! Royal Holloway is most recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the best selling novel “The Da’Vinci Code”. After spending several years working at various investment banks in the City of London working on a variety of technical projects including PKI design, Windows NT security, policy development and single sign-on systems, I moved to Atlanta to run a consulting team performing security assessments at Internet Security Systems (now IBM). In late 2000 I took a job at Charles Schwab to create and manage the software security program, essentially creating the equivalent of the SDL program. It was during this period of my life that I started OWASP, the Open Web Application Project which now has over 10,000 members globally and is recommended reading by the Federal Trade Commission and the National Institute for Standards (NIST). In 2003 I joined a small startup called Foundstone to take the experience learnt at Schwab to other Fortune 1000 companies. The company was sold to McAfee in October 2004 and I joined the McAfee executive team reporting directly to the President continuing to run the consulting business. I was awarded the Microsoft MVP for Visual Developer Security in 2005.
In late 2006 I left Foundstone and the States, moved back to Europe and took some timeout to think seriously about designing and developing an information security management platform, work that is continuing in CISG today. I enjoy speaking at conferences, have contributed to several MS Press security books and have worked with the Patterns and Architecture Group (PAG) on threat modelling and code review guidance. I am currently writing a chapter for the O'Reilly book Beautiful Security on designing and building the next generation of security management technology. I have a personal security blog at http://www.securitybuddha.com and am a recent "mid-life crisis" convert to jogging and kite flying.