Over the past few years, Microsoft has aggressively sought to change the image that its products have poor security. The company says that Windows Vista, which has been released to manufacturing, will be its most secure operating system to date, representing a top-down change in how its programmers develop code with security in mind.Stephen Toulouse, senior product manager for the security technology unit, spoke with IDG News Service about how Microsoft\u2019s security teams approach problems with software and the current threat landscape. An edited transcript of that interview follows. IDG: It seems over the past few months there have been fewer vulnerabilities that would affect, say, millions of users. What is your perception?Toulouse: To watch how the threat landscape has evolved has been very interesting. When you look back at where we were four years ago, we didn\u2019t have the security development lifecyle; the operating system didn\u2019t have a firewall. I think you are seeing more complex attacks, more social engineering. I think the simplistic attacks of the past with worldwide impacts are far fewer, and we expect that to be further reduced. But we can\u2019t let ourselves be complacent. I think what you\u2019ll see in the future is far more defense in-depth in applications and in operating systems, and that is going to generate far more complex attacks. Attackers are not going to stop.IDG: Do you think the number of fixes issued on patch Tuesday will fall with Windows Vista? How about with older operating systems and products?Toulouse: My viewpoint on update Tuesday is it\u2019s impossible to predict the peaks and valleys of the operating systems that are out today. But one of the goals we have with each successive product that we make is that we learn the lesson and implement the new functionality and new security so that over time, you see a reduction not just in the number of vulnerabilities, but their impact on the customer. So I would expect that with Windows Vista, that will be lower. You know that you can\u2019t get the code perfect. IDG: Will we know more about vulnerabilities found in Vista when the penetration testers who tested it a few months ago are no longer under nondisclosure agreements?Toulouse: When we went to Black Hat in Las Vegas, we brought the product [Vista] with us and we handed out 3,000 copies. We were out of DVDs before the end of the conference. They take the code and have fun. It was prerelease version in July. They were free to bash on it. From our perspective, the security researcher input was unprecedented. They\u2019re the experts. We didn\u2019t have a lot of people come back and say, "I found a vulnerability."IDG: A security vendor, Secunia, recently claimed there was a vulnerability in Internet Explorer 7. Microsoft countered that the software is intended to work that way, even though it could be maliciously exploited. What\u2019s your take?Toulouse: I think a lot of people confuse an attack vector with a product that has vulnerability. There\u2019s a challenge on what is a vector and what is the vulnerability, and that\u2019s just a matter of opinion in a way. To the extent that people talk about unsafe features being a vulnerability, what do you do when you adhere to a specification and that specification turns out to be unsafe? They have their opinion on it, we have our opinion on it. We certainly respect the guys over at Secunia. It doesn\u2019t mean that we won\u2019t go back and take a look at that. There are times when we will look at functionality when it gets co-opted by attackers and we\u2019ll make a modification. That\u2019s always on the table.IDG: Microsoft has made some changes to its security teams. The security technology unit (STU) is now part of the trustworthy computing (TWC) team? How is that going to change Microsoft\u2019s tact on security?Toulouse: Everything is still a little bit up in the air because as reorganizations go, the complexity often is what drives the time. But the current situation is such that the STU and TWC groups, which have mutually complementary goals for driving secure code, will merge. What does that get called in the end? I don\u2019t think that\u2019s been decided yet. Function-wise and role-wise, I think you are going to see the exact same thing. We committed to this as a company. We\u2019ve got to have this group that sits away from everybody and provides security expertise and review. That\u2019s critical to ingraining security as a culture.IDG: How would you describe the relationship between Microsoft and the independent vulnerability hunters?Toulouse: It depends. The security researcher community is incredibly diverse. All of them have different viewpoints, different philosophies. Our relationships with security researchers are probably better than they ever have been. We\u2019re certainly seeing more security researchers working with us, but we\u2019re also seeing researchers who go public [with vulnerabilities before informing Microsoft]. When we actually sit down with these guys and ask, \u201cWhy do you go public?\u201d the answer surprised us. They said, \u201cTo protect customers.\u201d Now unfortunately from our perspective is that the attacker can take it and go use it. We engage in a dialog with [security researchers]. We may disagree on method from time to time.-Jeremy Kirk, IDG News Service (London Bureau)Related Links:\n\nSecond IE 7 Flaw Discovered, Secunia SaysThis article is posted on our Microsoft Informer page.\u00a0For more news on the Redmond, Wash.-based powerhouse, keep checking in.Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.