This is Christopher Budd. As Andrew noted in his posting yesterday, on Thursday we had our Spring 2007 BlueHat Security Briefings. I had a chance to attend, along with several of my colleagues from the MSRC and Sarah was kind enough to let me do a guest post to share some thoughts on BlueHat from the standpoint of someone involved in security response.
As Sarah and Andrew mentioned in their posts, BlueHat is where we bring outside security researchers to Microsoft to talk about the latest work they’re doing. BlueHat is open to any and all full-time Microsoft employee (hence the “blue” in Bluehat…the badges we wear as full-time employees have blue borders around the photo). While there are a number of us from the security groups at BlueHat, the majority of the people who attend are people who aren’t in the security groups. Instead, they’re mainly people who work on the features and products we all use everyday like Windows, and Office.
From my point of view, this is something that makes BlueHat unique among security conferences: I don’t know of any other venue where security researchers talk to an audience that’s mainly comprised of people who consider themselves first and foremost engineering professionals rather than an audience of security professionals. Even more to the point, BlueHat is a place where people developing software hear from the very people that will one day be looking for vulnerabilities in that software. For example, people I know in the Windows Mobile group heard John Hering and Kevin Mahaffey’s session “Emerging Mobile Security Problems, or How We Learned to Stop Worrying and Love Windows Mobile”. They’re back at work today, but they also now know some things about new and emerging threats and they’re putting that to work. To put it another way, as someone in security response, I usually see the world of security researchers and our developers come together after products have been released as we investigate vulnerability reports the researchers bring us. BlueHat is different because it brings the security researchers and developers together before products are released. There’s no way to know how many bulletins haven’t been written because of lessons learned from BlueHat, but I firmly believe there are more than a few.
Overall, BlueHat is an example of the work we’ve done in the past few years to try and integrate security fully into the software development process: our SDL process is another example of how we do this. And while we know we’ll never eliminate vulnerabilities entirely (that’s why we maintain a robust security response process to address vulnerabilities when they do occur) we do things like BlueHat to help our software adapt to the evolving threat environment.
Honestly, Microsoft sometimes has a reputation for losing focus and people have asked me if that will happen around security someday. The fact that we’ve just finished our fifth BlueHat conference shows a level of ongoing commitment and that security is something we won’t lose focus of: it will always be a priority and our development culture will continue to change as we incorporate the many dimensions of security.
Thanks, and see you back on the MSRC weblog.
*This posting is provided "AS IS" with no warranties, and confers no rights.*