Microsoft BlueHat Blog

  • BlueHat: Community Outreach

    Katie Moussouris here. I’m the newest Security Strategist here at Microsoft. I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team. I work in the group that is responsible for securing current and...
  • David Litchfield’s BlueHat talk

    Brad Sarsfield here again. I’d like to share with you my thoughts on David Litchfield’s BlueHatv3 talk . David Litchfield is the Chief Research Scientist at Next Generation Security Software (NGS) and spoke to a 600+ standing room only crowd at Bluehat...
  • Bluehat v3 first thoughts

    Hi, I'm Brad Sarsfield (bradsa!); I’m the SQL guy here. One of the interesting things about me and my team is that I own the ‘slammer’ component in SQL Server, so by that very nature quite a large part of my job description is to ensure (and I quote)...
  • Software Security == People && Process && Technology

    Mark Curphey here. I run the Subscriptions Engineering Team in Server & Tools Online, where we build complex customer facing web sites like MSDN and TechNet, supporting millions of users. For the last 15 years, I have always held security roles, most...
  • The EMET 2.0 Training Video has arrived!

    Hey there, I'm pleased to announce that the BlueHat team has partnered with the dynamic Microsoft Security Response Center (MSRC) Engineering duo of Andrew Roths and Fermin J. Serna on a training video previewing the new release, version 2.0, of the...
  • BlueHat v11

    Jeremiah Grossman here. BlueHat is one of my favorite conferences of the year, and it’s one of the few I’ve consistently kept coming back to. The organizers put together an amazing event with consistently top-quality content, where the attendees...
  • Beliefs from an Ex-softy

    Jared Pfost here. I'm fired up to present at BlueHat. I really appreciate Noelle reaching out so it was a no brainer when asked to spin up a blog post. One thing that keeps popping up is my status as a former blue badge. Actually I'm a former twice over...
  • Token Kidnapping finally patched!

    Here I am again writing on MS BlueHat blog, this time about Token Kidnapping. The first time I talked about Token kidnapping was a long time ago and now after a year the issues detailed in the presentation are finally fixed. Let's see what happened...
  • Capt I.M. Hardened OS-Microsoft

    Hey, Steve here. Just finally settling back in after traveling a bit, meeting up with different parts of the security ecosystem. It was good to get out and see firsthand events like CanSecWest, and most recently Black Hat Amsterdam where I met with security specialists in and around the EU. Now that I am back in the States, I have caught up on my reading. I came across this article about what the US Air Force did to ensure that every computer delivered to them was in a set and secure configuration. This is a great approach and, if you can do it, I highly recommend it because the alternative is to bolt on security at the end, and that is always costly and not fool-proof.

    There is, however, a part of the article that is unclear. The article talks about how Microsoft was pressured into releasing special Windows XP versions for only the Air Force and government agencies. This is just not true.

  • Hack in the Box, and beyond…

    Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

  • Dune Busting and Browser Fun at HITB – Dubai

    Hi, Billy Rios here, I was recently invited to speak at Hack in the Box (HITB) in Dubai. While at HITB, I participated in two different talks, but I’m going to focus on the talk Chris Evans and I co-presented: “Cross Domain Leakiness.” Chris Evans is...
  • Announcing the BlueHat Security Forum: EU Edition

    Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

  • Getting a business degree as part of Security Research?

    What a great time to start thinking of travel – the weather is fairing up, June is here, and fortunately for me, I have a chance to take the driver seat again at another BlueHat conference! This time it’s in Brussels and I’m really looking forward to...
  • A Brussels retrospective from Oahu

    Aloha from the Shakacon III, a security conference held each year in lovely Honolulu, Hawaii! Although I’m currently in a different region of the world, talking with a completely different segment of the security ecosystem, I wanted to take a few moments to reflect on the BlueHat Security Forum EU event recently held in Brussels, Belgium.

  • Stainless steel bridge

    Hi! Manuel Caballero here. I had the pleasure of penetration testing (pen-testing) the previous versions of Microsoft Silverlight, and now, for the last three weeks, I’ve been playing around with the beta version of Silverlight 3. When I say, "the...
  • Securing our Legacy

    Hi, this is Scott Stender from iSEC Partners. I recently had the privilege of speaking at Microsoft's BlueHat event in Brussels on the topic of securing legacy systems. With all of the recent coverage on the need to secure our networked systems --...
  • 心の会合: The Gathering


    I guess you are wondering why I said hello in Japanese. I have just recently returned from attending the 21st Forum of Incident Handling and Security Teams (FIRST) annual conference hosted in the awesome city of Kyoto in Japan. The city of Kyoto is beautiful. I was amazed at all the interesting palaces and temples located right in the middle of a modern city. It was truly awesome. What was even more awesome was the 21st FIRST Annual Conference. You have heard us here at Microsoft talk a lot lately about community-based defense initiatives. These initiatives drive the security ecosystem to work in a coordinated fashion to address security issues. This works best by creating a community that is built on trust and common goals. The common goal here is to build coordinated defense from attacks. FIRST is one such trusted, security-focused community. This is one reason why Microsoft supports their efforts. As a community of incident and security response teams, FIRST provides a trusted network to share information and provide coordination efforts that is all member-driven.

  • Black Hat USA: Hoping what happens in Vegas doesn’t actually stay in Vegas…

    This week our team is preparing to travel to Black Hat USA in Las Vegas Nevada, a hotspot (literally and figuratively), and one of the largest gatherings of security professionals in the world. Black Hat brings together diverse security communities to discuss, debate, deploy, and disseminate security information. It is a week of breaking bread with our friends and rivals, learning from others around the world and bridging the roles of researcher and vendor to raise our security awareness.

    Within Microsoft, we have a community of security defenders.

  • The Microsoft Security Community Videos: A Peek Behind the Curtain

    As mentioned in Sarah’s Black Hat post, we’re profiling some of our own internal security members and sharing their perspectives around Microsoft’s engagement in the security community.  Maarten Van Horenbeeck, Security Program Manager, Microsoft Security Response Center (MSRC) and Katie Moussouris, Senior Security Strategist, Secure Development Lifecycle (SDL), answer the following two questions:

    How did we become involved in security at Microsoft?

    What changes have we seen at Microsoft security over the years?

  • The Microsoft Security Community Videos: Through the Looking Glass

    video: Take a gander as Billy Rios, Security Engineer, Business Online Services, and Bryan Sullivan, Senior Security Program Manager, Secure Development Lifecycle (SDL), discuss their experiences with the security community both inside and outside of Microsoft.


  • The year-end review – well, sort of :)


    It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.

    Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.

  • Community Based Defense - Redux

    OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama. I can hardly wait to see what develops this year!

    Last year at Black Hat, the Microsoft Security Response Center announced three new programs – Microsoft Active Protections Programs (MAPP), Microsoft Vulnerability Research (MSVR), and Microsoft Exploitability Index. I was honestly a bit nervous about how the programs would be received. Would the community ridicule them (and us)? Were the programs as solid as we thought they were? Would they stand the test of time? And most importantly, would they help advance community-based defense?

  • Threat Complexity Requires New Levels of Collaboration

    When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.

  • Black Hat USA Spotlight: ATL Killbit Bypass

    There are only a few days left before Black Hat USA, and we, like most other speakers, are in the midst of the last-minute push to have all the materials finalized in time for our presentation. Our presentation this year, " The Language of Trust ," features...
  • Announcing BlueHat v9: Through the Looking Glass

    BlueHat v9 will take place from October 21 to 23 at the Microsoft campus in Redmond. Last year, we experimented with a day dedicated to attacks and a day dedicated to SDL security mitigations. This year, we will give you the best content out there… we are interweaving talks from internal and external security subject matter experts with themes related to e-crime, mobile security, cloud computing, and fuzzing.

    We kick it off with the BlueHat Executive Sessions on October 21 with condensed versions of the presentations delivered in a deeply technical "Cliff Notes" style. October 22 and 23 are filled with BlueHat General Sessions for our Microsoft IT pro and developer population.