A couple of weeks ago I posted over on the EcoStrat Blog detailing a bit of what my team in the Microsoft Security Response Center (MSRC) does in addition to the recent work ICASI members have been doing with CVRF. For those of you interested feel free to check out the Making Sense of the Random & Mining For Gold post. Among other things, that post got me thinking about how there is plenty to cover just in regards to reporting vulnerabilities to MSRC and how we handle issues reported to secure@microsoft.com. Perhaps when I have a few moments of spare time I can put together a blog post on that topic alone.
In my EcoStrat post, I talked about how our job can sometimes be like mining for gold. After recently returning from the CanSecWest conference, I can say that sometimes this job is also like having gold nuggets tossed at you willingly by others. I love having the opportunity to get out of the mother ship and talk to security researchers that are actively working to help make our products better, by finding vulnerabilities and reporting them to us responsibly, so we can address the issues while not putting customers at risk. Being able to have the face-to-face interaction is invaluable for us here in the MSRC. I will never turn down and opportunity to listen to what other security researchers are working on, and what they think about the state of the industry, our products, and how Microsoft and the MSRC can do more to make the computing ecosystem more secure.
I also hope that every once and a while there is an opportunity for us as a company to put some gold back in the till. The sharing of our SDL framework, the knowledge gained as a result of some of the growing pains we experienced learning to improve the security of our products, and the recent launch of the Microsoft SDL Pro Network are some examples of where we are doing this on the SDL front. Another example is when recently a colleague of mine at CanSecWest, Jason Shirk, unveiled another contribution to that endeavor.
Jason, a Security Program Manager over in the Security Research Team that works on a lot of our fuzzing efforts, took the wraps off of the !Exploitable tool (Bang Exploitable) for those in attendance at the conference. Basically, !Exploitable is a plug-in for the Windows debugger that categorizes crash information and estimates the potential exploitability of a possible vulnerability.
Check out the article where Jason talks a bit more about !Exploitable and how it works. It is cool stuff and it is available for download over on CodePlex. One of the things that Jason says is that essentially tools like !Exploitable help to provide a means for us be on the same page in terms of what exploitability means for a potential issue. He is definitely right and I can say from the various types of vulnerability reports my team receives at secure@microsoft.com that this can be a major challenge we encounter.
!Exploitable helps developers make their code more secure and helps us all by giving a common starting point from which to have the "Is it exploitable?" conversation and that is definitely worth a few deposits into the till, in my opinion.
-A
Live From Redmond: It’s Wednesday Morning!
Last month Christopher Budd, my regular co-host for the Monthly Security Bulletin Webcast, and I went through the usual business of going through the security bulletins that were released for February. Except that something was different from the usual Wednesday morning webcasts we have hosted over the last two years. This time we had a camera pointed at us the entire time, recording every bit of what transpires over the hour. The video footage was later posted on the TechNet Edge site for our customers to watch at their own leisure. Of course, having the camera and lighting equipment changes the flow of our presentation and definitely added an extra layer to the multitude of things we have to keep in mind as we run down the usual list of vulnerabilities, mitigations, and security update details. We made it through the hour with some great questions posed to us by our audience and all was good with world. Anything that wasn't (like my ever-present need for infusions of Diet Coke throughout the webcast), was of course promptly edited out in post-production.
The webcast apparently went so well last month that our Security Response Communications Team decided it would be a great idea to do the video portion of the March webcast live. Now here is where I think it is important to note some of our "more interesting" webcasts from the MSRC archives. In the last two years, we have lost power in our building requiring the backup generators to kick in, the audio link to the webcast audience has gone down, network connectivity to our team of subject matter experts has dropped, our printer has jammed. We have even conducted the webcast during various forces of nature--blizzards, windstorms, and yes, even the flooding of our building. Murphy's Law historically has not had a problem making itself evident on webcast Wednesday.
Now let’s fast forward a month to March 11th, shall we? For starters my fellow MSRCer and Ecostrat Team member Steve Adegbite joined me to allow Christopher Budd a well-deserved break from the March webcast. Second, during the webcast we actually lost power to the camera and audio system causing us to go offline momentarily. After a bit of looking around to determine what exactly happened, Steve and I realized that we were off-air and despite the fact we continued talking, no one was on the other end watching or listening live. The good news is that the production team had everything back up and running almost immediately. I guess it was Murphy's way of once again letting us know that he is a big fan of the webcast and while some may have found it entertaining, it sure wasn’t intended to be that way.
Regardless of the audio/video gremlins, it was a great webcast and hanging out with Steve for an hour to take customer questions was a blast. The video footage from the webcast has been posted here in case you missed it. Of course, thanks to the wonders of post-production editing you would never know from watching it that we even experienced a hiccup.
Hopefully you will join us for next month's webcast on April 8th and if we are lucky Murphy will take a day off too.
-A
When I talk about Microsoft and the subject of security, it is inevitable that someone will chime in with a less than stellar remark referencing Slammer or Code Red or some other flavor of pain from history. The facts are undeniable that as a company we come to the table with a lot of baggage. That history contains moments that some might want to forget. That’s why I love working with Steve Lipner. Steve’s knowledge of MSRC and Microsoft during some of our worst days is encyclopedic in detail and incredibly candid and direct. He has been and remains a strong part of the foundation that has allowed us to even out the balance sheet a bit and has been instrumental to the progress we have made in security over the years. To this day Steve continues to provide great insight in reviewing our bulletin drafts prior to release every month and sharing his insight on the upcoming release so that I can follow-up with my team. Steve is one of a group of hard working MSFTies who have helped us get to the point where the words “Microsoft” and “security” are no longer mutually exclusive.
Last Friday, my day started with an email from Steve reminding us of a pretty significant moment in the history of our organization, the Security and Engineering Department of which MSRC is a part. Seven years ago this week Mike Howard and others in what was our then vestigial organization began training thousands of developers, testers and program managers at Microsoft on secure development practices. The overall effort has often been referred to both internally and externally as the "Security Push". It took 2 months to train roughly 10,000 personnel, but ultimately it resulted in the release of Windows XP SP 2 and Windows Server 2003 and several other products that were a demonstrable improvement in terms of security over their previous iterations. The numbers have clearly shown over time that the methodology of SDL that has since become formally integrated into how we develop software has reduced the attack surface area of our products and made them more secure.
Now don't get me wrong. I am not swimming in the Kool Aid either. Last time I checked, the MSRC still releases security updates every month and my team continues to receive new vulnerability reports to investigate. We still have plenty of work to do, but it is always nice to see demonstrable progress and look at how far we have come, which I believe even the most hardened of cynics can agree with. I was once one of those cynics, and as I am sure my colleagues would tell you, I still am in many ways. Being a cynic is how I ended up here - which is a story for another day.
In any case check out Steve's video here as he walks through what life in the MSRC was like prior to the "Security Push" and thank you Jason Garms, Steve, Mike Howard, and numerous others for building the foundation that lets me sleep a little more often without interruption from the pager.
-A
So after 3 ½ years with the Microsoft Security Response Center, making guest posts on the MSRC blog and my friend Rob Hensing splashing photos of me with my trusty steed Patches all over the interwebs with his blog, I decided to finally launch a blog of my own. Thanks, Rob--I can only hope that at some point I will be able to repay you in kind with a flattering photo or two. :)
I guess the fundamental question for this post is, what was the reason for finally taking the plunge with my own blog? In addition to the random post that can be expected on various things security- or technology-related, life at MSRC really is like a box of chocolates. From one day to the next you are challenged with interesting situations, and are constantly making decisions that have a tremendous impact in securing Microsoft's customers. While some may say otherwise, it is by far the best job in the world. As a result, I plan on sharing a bit of what "a day in the life" is like as well.
Just like my first foray into programming some twenty plus years ago resulted in nothing more than a "Hello World!" dialogue, so it goes with my first post. It was nothing too exciting to look at or was all that functional, but it was definitely the start of something exciting for me, and just like then, I can't wait till we get to Slalom skiing.
-A
