I enjoy telling stories. Perhaps, in a former life, I spent time as a bard telling stories of Robin Hood and Maid Marian as I travelled from town to town. Perhaps I just spent too much time playing The Bard’s Tale on my Tandy 1000 back in the day. Either way, I enjoy telling stories to people. It’s even better when I get to tell stories that relate to my job. Recently, I was given the opportunity to tell some stories at BlueHat V10, and that presentation is now online for the world to see. One area of my job that always piques people’s interest is the challenges we face on a day-to-day basis. These are the stories I chose to highlight in the Bluehat V10 presentation, and unlike most old bard’s tales, these stories actually happened.
Of course, stories always have a greater impact when they make a point. In each of the case studies I talk about, something went wrong. And let’s face it, if I’m involved, it means something has already gone wrong. That doesn’t mean that someone was at fault, just that things did not go exactly as we expected.
When I was originally approached about presenting something, I immediately thought of a few themes I wanted to highlight about what goes on in MSRC. First, few people understand the scope that we deal with every day. I may joke about rebooting countries (just watch the video of the presentation), but it’s really not much of a hyperbole to say that. The actions I take and decisions we make have far reaching consequences, so we take them seriously.
I also hoped to highlight the number of moving parts we have in any given security update. In addition to all of the work I do, there are developers, testers, engineers, product groups, communications people, security gnomes, operations personnel, release partners, independent security researchers, and the list just keeps on going (sorry if I left you off). My job is to ensure all of these folks work together toward the common goal of addressing each issue and protecting our customers. I’m not asking for your sympathy here (though I’ll gladly take it), but most people have little understanding of the massive amount of coordination and work it takes to release five new lines of code across 22 platforms in 36 languages.
So how do we manage to make all of this happen the second Tuesday of every month? Well, there are 3 P’s that exist here that really drive us to success:
· Passion – Everyone I work with is very passionate about security and protecting customers. Let’s face it, if we weren’t passionate about this, we wouldn’t last long in the sixth worst job in science. And hey, we actually did buy a customer’s laptop just to get repro (and that wasn’t the first time).
· Process – We’ve done this before. And each time we do it, we learn more and apply those lessons toward doing it better the next time.
· Pragmatism – Although we might not get everything 100% perfect 100% of the time, we realize we can go back to those first two P’s to cover us when something goes a bit askew. Release Tuesday is huge for us, but it’s not the end of anything; just a major milestone. We actively monitor the ecosystem to make sure everything is behaving the way it should.
Well, I hope you enjoy the presentation and the stories I tell in it. If nothing else, it provides a framework for understanding what’s behind that little bundle of joy we deliver every second Tuesday. And if you happen to find me wandering in Skara Brae and would like to hear any more stories, we can head over to ye old tavern where I will spin a few yarns for you. I might even be the one buying. :-]