Katie Moussouris here. I’m the newest Security Strategist here at Microsoft. I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team. I work in the group that is responsible for securing current and future Microsoft products.
My background is application security, having come from Symantec by way of the @stake acquisition. I founded and ran the Symantec Vulnerability Research Program. Before that, I spent many years as an application penetration tester, security researcher, and started the security response program for an OS company. There were penguins involved – but that can be our little secret (just between you, me, and the Internet). ;-)
This installation of BlueHat was my first attendance as an “insider”, and I was able to see for myself that the true beauty of BlueHat was making sure the right people met and spoke to each other outside of the lectures. The event allows for the natural convergence of passionate technologists (researchers and MS engineers alike) to come together and brainstorm about ways to protect end users now and in the future.
One of these opportunities for interaction was introducing RSnake to the IE team and anti-phishing task force so that they can talk about how we can work together to come up with better ways to fight phishing, cross-site scripting, cross-site request forgeries, and their ilk. I can’t wait to see what the researchers bring us in September!
Another cool thing I got to do in my first 30 days at Microsoft was speak at ToorCon Seattle (Beta). (See – I wasn’t assimilated.)
The talk was titled “Vulnerability Disclosure Panel Remix” and it was the perfect opportunity to ask the security community “What makes a ‘good vendor’ from a researcher’s perspective?”
This direct feedback from the research community can help not just Microsoft find more efficient ways to maintain friendly relationships with researchers, but also help other vendors improve their researcher relations. It’s my job to help Microsoft lead the way when it comes to proactive security community outreach. My 20 minutes of running around in the audience this past Saturday with mic in hand was more than a “How’s my driving?” exercise; It was a “How’s everyone’s driving?” exercise. We all share the road, traffic is heavy, and we all have some miles to go before we reach home.
Hello everyone,
This is Christopher Budd. As Andrew noted in his posting yesterday, on Thursday we had our Spring 2007 BlueHat Security Briefings. I had a chance to attend, along with several of my colleagues from the MSRC and Sarah was kind enough to let me do a guest post to share some thoughts on BlueHat from the standpoint of someone involved in security response.
As Sarah and Andrew mentioned in their posts, BlueHat is where we bring outside security researchers to Microsoft to talk about the latest work they’re doing. BlueHat is open to any and all full-time Microsoft employee (hence the “blue” in Bluehat…the badges we wear as full-time employees have blue borders around the photo). While there are a number of us from the security groups at BlueHat, the majority of the people who attend are people who aren’t in the security groups. Instead, they’re mainly people who work on the features and products we all use everyday like Windows, and Office.
From my point of view, this is something that makes BlueHat unique among security conferences: I don’t know of any other venue where security researchers talk to an audience that’s mainly comprised of people who consider themselves first and foremost engineering professionals rather than an audience of security professionals. Even more to the point, BlueHat is a place where people developing software hear from the very people that will one day be looking for vulnerabilities in that software. For example, people I know in the Windows Mobile group heard John Hering and Kevin Mahaffey’s session “Emerging Mobile Security Problems, or How We Learned to Stop Worrying and Love Windows Mobile”. They’re back at work today, but they also now know some things about new and emerging threats and they’re putting that to work. To put it another way, as someone in security response, I usually see the world of security researchers and our developers come together after products have been released as we investigate vulnerability reports the researchers bring us. BlueHat is different because it brings the security researchers and developers together before products are released. There’s no way to know how many bulletins haven’t been written because of lessons learned from BlueHat, but I firmly believe there are more than a few.
Overall, BlueHat is an example of the work we’ve done in the past few years to try and integrate security fully into the software development process: our SDL process is another example of how we do this. And while we know we’ll never eliminate vulnerabilities entirely (that’s why we maintain a robust security response process to address vulnerabilities when they do occur) we do things like BlueHat to help our software adapt to the evolving threat environment.
Honestly, Microsoft sometimes has a reputation for losing focus and people have asked me if that will happen around security someday. The fact that we’ve just finished our fifth BlueHat conference shows a level of ongoing commitment and that security is something we won’t lose focus of: it will always be a priority and our development culture will continue to change as we incorporate the many dimensions of security.
Thanks, and see you back on the MSRC weblog.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
BlueHat is Microsoft's own little hacker con. We host it twice a year -- the sessions today were all about innovation in security research.
What did we learn? That Microsoft cannot solve the security problem, but we can raise the bar substantially to the point where finding bugs in Microsoft products is hard, and building reliable exploits even harder. To reach this lofty goal requires that we learn from the innovators; to spot trends, learn of new attack techniques and vulnerability types so we may add defenses and countermeasures to help turn the tables on attackers and ultimately, protect customers.
Highlights from this BlueHat include: new insights into mobile & web app hacking, vendor agnostic issues in security protection offerings, the art and science of reverse engineering security patches and interesting stories about how some of our speakers cracked the Xbox 360.
We look forward to bringing you more content, links to podcasts and channel9 video from this edition of BlueHat.
-Sarah Blankinship
Senior Security Strategist
I work for Andrew Cushman, take a look at his first MSRC Blog post.
Speaker bios and abstracts are here.