When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.
This week our team is preparing to travel to Black Hat USA in Las Vegas Nevada, a hotspot (literally and figuratively), and one of the largest gatherings of security professionals in the world. Black Hat brings together diverse security communities to discuss, debate, deploy, and disseminate security information. It is a week of breaking bread with our friends and rivals, learning from others around the world and bridging the roles of researcher and vendor to raise our security awareness.
Within Microsoft, we have a community of security defenders.
As mentioned in Sarah’s Black Hat post, we’re profiling some of our own internal security members and sharing their perspectives around Microsoft’s engagement in the security community. Maarten Van Horenbeeck, Security Program Manager, Microsoft Security Response Center (MSRC) and Katie Moussouris, Senior Security Strategist, Secure Development Lifecycle (SDL), answer the following two questions:
How did we become involved in security at Microsoft?
What changes have we seen at Microsoft security over the years?
I guess you are wondering why I said hello in Japanese. I have just recently returned from attending the 21st Forum of Incident Handling and Security Teams (FIRST) annual conference hosted in the awesome city of Kyoto in Japan. The city of Kyoto is beautiful. I was amazed at all the interesting palaces and temples located right in the middle of a modern city. It was truly awesome. What was even more awesome was the 21st FIRST Annual Conference. You have heard us here at Microsoft talk a lot lately about community-based defense initiatives. These initiatives drive the security ecosystem to work in a coordinated fashion to address security issues. This works best by creating a community that is built on trust and common goals. The common goal here is to build coordinated defense from attacks. FIRST is one such trusted, security-focused community. This is one reason why Microsoft supports their efforts. As a community of incident and security response teams, FIRST provides a trusted network to share information and provide coordination efforts that is all member-driven.
It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.
Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.
OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama. I can hardly wait to see what develops this year!
Last year at Black Hat, the Microsoft Security Response Center announced three new programs – Microsoft Active Protections Programs (MAPP), Microsoft Vulnerability Research (MSVR), and Microsoft Exploitability Index. I was honestly a bit nervous about how the programs would be received. Would the community ridicule them (and us)? Were the programs as solid as we thought they were? Would they stand the test of time? And most importantly, would they help advance community-based defense?
video: Take a gander as Billy Rios, Security Engineer, Business Online Services, and Bryan Sullivan, Senior Security Program Manager, Secure Development Lifecycle (SDL), discuss their experiences with the security community both inside and outside of Microsoft.