Microsoft's US general manager/chief security advisor for its National Security Team thinks like a true security professional: In every bit of good news, Bret Arsenault wonders what bad news could be lurking behind it.

Speaking at the recent SecureWorld conference in Boston, Massachusetts, the 19-year Microsoft veteran whose job includes protecting enterprises, developers and Microsoft itself, said there actually is plenty of good news on the security front. For example, his outfit scans a half million devices (with customer permission) per month, and in the first half of last year saw the first period-over-period decline in new vulnerabilities disclosed across Microsoft and non-Microsoft software since 2003.

However, 3400 new vulnerabilities were discovered and "it's still a big number," he said. "So if vulnerability rates are down, where are they?"

One trend that pops out is that attackers are increasingly laying off operating systems and exploiting applications instead. One reason for this, he said, is that vendors like Microsoft, Apple and Red Hat have done a good job in recent years securing the IP stack and operating system.

Arsenault pointed out that the first operating system hardening guide Microsoft wrote for Windows 2000 came 18 months after shipment of the product; the next (for XP Service Pack 2) was within 90 days of product shipment. With Vista and other new products, Microsoft ships the hardening guide along with the product. "On the application side, on the other hand, we're very far behind," Arsenault admitted (though he added that the Office 2007 hardening guide is very solid, even if it did take a year-plus to release it).

"You have your classic arms escalation race between the hackers and the people who are trying to protect [software], so [the hackers] go after the easiest target that's least protected," he said. "The application space is the next space in the model they're going after," and he sees this continuing to be the case for at least the next few years. And he is talking about Office as well as CRM, ERP and other programs that contain the sorts of data that financially-motivated hackers crave.

"This is not a problem that people should be thinking is just an Office problem. It's anybody who uses file formats that are not XML based going forward." Adobe, Corel and Google are among others facing similar challenges, he asserted.

Microsoft has made fixes to older products, such as Office 2003, but Arsenault emphasised that it's a lot harder to retrofit an old product for a new environment than it is to build a newer product, say Office 2007, more securely. He drew an analogy between the trade-offs of updating older software and his desire to add airbags to his 1992 Toyota: He can (and will) actually get it done, but it's going to cost him.

Another thing that worries him: security issues surrounding Web 2.0, web services and software as a service. "They all rely on deeper trust at the client level and a smarter client to do that trust model," he said. "We can't assume that the traditional model we are using is actually going to work."

Danger signs are also emerging when it comes to securing virtualised systems.

"Your CIOs have no clue as to where we are on this," he told the audience of security pros. "I think that there's a lot of things we don't have right on virtualisation as an industry... We've got the ability given its nascent state today working with all the folks doing virtualisation to put some things in hypervisors and other components that would allow us not to play catch up like we have over the past 7 years in security."

Microsoft gathers security data in a number of ways and formats, including its Security Intelligence Report, now conducted twice a year but potentially going quarterly.

Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."

As for geographically where attacks are coming from, all eyes are on China, the source of 380 percent more attacks than a year ago.

In terms of what kind of malware is showing up most often, Trojans are on the rise. Rootkits are raising their ugly heads, but fortunately, Arsenault said, they're so hard to write that they probably won't get too much worse.

On a positive note, Microsoft is seeing the amount of publicly exploitable code, at least for its own software, shrink. But he does sweat over whether there's really less exploitable code, or whether it's more a case of such code just being kept secret by nation states looking to wage cyberwar.

Microsoft also gets a read on security issues by holding CSO and CIO summits (Arsenault is executive host for the company's annual CSO Summit, at which 300 top CSOs, mostly from the US, partake). Microsoft compares data from the two groups to determine whether security concerns are being taken seriously by CIOs.

In Microsoft's latest survey of CSOs, it found that protection is the top security issue (62 percent), followed by identity/access management (57 percent) and compliance (44 percent and falling in the rankings, a finding consistent among CIOs as well). Secure messaging/collaboration is among issues on the rise, as is application architecture ("The biggest question there is how far back you go in your code base," Arsenault added). Patch management ranked 6th on this list, with 29 percent citing it, though Arsenault says this topic ranked first about years ago.

Arsenault also spent a chunk of his talk discussing why Microsoft makes the security investment and partnership and technology decisions it does, and steps Microsoft has taken internally to shore up its security and protect its own intellectual property and systems. He noted that decisions, such as what security products to include in an operating system, aren't always up to Microsoft given certain regulatory restrictions. Others, such as how to integrate security and management products, are also complex. He also discussed the requirement to weigh the needs of enterprises, small businesses and consumers, noting that security at the consumer level can have a big impact on enterprise security.

Arsenault isn't your typical Microsoft speaker. He prefaced his talk by noting that he has spent his entire career at the company outside of the profit and loss side of things and doesn't really care whether you buy Microsoft Forefront security products or technology from someone else (he even confessed to using Quicken rather than MSN Money). "I have a vested interest in reducing security risk in the overall environment so we don't slow down the computing stuff that's been going on or what you're doing over the Internet."