Shostack + Friends Blog Archive


I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this decision.

I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 “Introduction to S/Key.” In the past, I’ve heaped scorn on Microsoft’s security related decisions. Over the last few years, I’ve watched Microsoft embrace security. I’ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I’ve watched them produce results.

In making this decision, I’ve had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven’t even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft’s Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.

I realized just how many smart people are thinking about these questions at Microsoft, and I’m glad to be joining them. I’ll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.

Part of the process that’s taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn’t taking the role I’m taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.

That said, Microsoft didn’t offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they’re free to question my judgment. At the same time, I’m going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I’m going to shy away from these, at least initially, because there’s a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.

So, I’ve joined Microsoft, and I look forward to doing great things here.

16 comments on "I’m Joining Microsoft"

  • Chris Walsh says:

    Uh, Adam, does this mean that the category in which this announcement appears will soon be renamed “Gates”?

  • Chris Walsh says:

    I note with some humor that, unless I have the timing wrong, sun-managers was run off a server I was sysadmin on when Adam sent his email (or maybe it had moved to ANL by then). If I had a tape drive to read my old archived email, I’d know :^)

  • Alex Hutton says:

    So you’re the new Scoble?!

  • Izar Tarandach says:

    Damn, now I can’t go around saying “Microsoft doesn’t take any real, meaningful steps towards security, it’s all an elaborate ploy menat to give us the cheapest security just so we’ll get off their backs” anymore…
    Congratulations on the decision – I am sure it wasn’t an easy one, but I guess those who know you won’t hold it against you. We’ll just poke real fun on you, but you know it comes from a good place, don’t you?
    But I guess I’ll hold on being seen in public with you, at least until the tomatoes and assorted putrid vegetables stop flying in your direction 😀

  • Shyama Rose says:

    Good work Adam. Can’t wait to see how the changes you’re involved in turn out. Cheers!

  • Congrats, let me know if there’s ever anything I can help you out with.

  • bp says:

    Don’t make a fuss, just get on the bus! congrats!

  • Fletcher Christian says:

    This could be a bad thing… way to join the evil empire 🙁

  • robin says:


  • Lorin Olsen says:

    Congratulations on your decision to join Microsoft. Last December, I faced the same decision that you have faced. After years of discounting Microsoft rhetoric on security, I was asked if I wanted to join Microsoft. As I looked back on what Microsoft had done since the inception of the Trustworthy Computing intiative, I was forced to admit that Microsoft had done far more than most other corporations. I too was struck by the fact the Microsoft was willing to idle its development engine in order to retool that engine. And I had to admit that Microsoft had made immense strides in becoming “enterprise-worthy.”
    So in January of this year, I joined Microsoft. And I have enjoyed every moment since then (OK, not every moment, but pretty darned close to that). Microsoft is an interesting company. After spending 18.5 years at a telco, I found the a system that was devoid of the traditional bureaucracy that I had left. And I found a company tht really empowers people.
    So here is my advice to you. Find a mentor and work with that mentor on a regular basis. Pay attention to your “commitments” as they will form the basis of how you move through the company. Don’t be afraid to speak up and be a “squeaky wheel” as it makes a difference at Microsoft. And always remember that Microsoft is not a behemoth. It is a group of dedicated and bright people. It is the people that will make your Microsoft journey most enjoyable.
    Good luck!
    aka, Lorin Olsen

  • sama says:

    Let’s see who else Adam scares away…

  • Drew Lehman says:

    Well, well.. look who’s hitiing the big time. I can’t say I agree with your decision, but hopefully you can make a difference before MS eats itself alive. Good luck!

  • Nick Owen says:

    They weren’t interested in the blog, eh? I say donate it the foundation!
    Things are saddly sober around here now.

  • ex-colleague says:

    Holy cow. Poor sod.

  • Molly C says:

    Congrats, Adam.
    And congrats to Microsoft too. Since Microsoft’s wares are so widely used, it is imperative that they hire as many of the top security gurus as they can get. 🙂

  • Sharkey says:

    It does seem that M$ is getting quite a bit of good talent.
    Ask Toby who you should talk to about beer-debts inside their campus.
    Then again, with that awe-inspiring Microsoft salary, maybe you should be buying the beers at Defcon this year 🙂

Comments are closed.