Hey Andrew Cushman here.

I work in the Security Technology Unit. My team is focused on outreach to the security researcher community.  Our roots are in MSRC – we started a couple years ago focused on “finders” (researchers that report bugs to MSRC). The goal was to figure out how those researchers and Microsoft could communicate and work together more effectively. Over time we realized that the community is much bigger than just the folks that communicate with secure@microsoft.com. So now our focus is broader – today it’s also about how does Microsoft listen and learn from the community and how do we apply that learning to our products. This blog entry is about last week’s BlueHat event – an internal Microsoft security conference


BlueHat came about in an interesting evolution over the last year. Our outreach efforts to the security research community helped us realize that conferences are key events. They are the forum where cutting edge research is disclosed and relationships are forged. We had attended numerous conferences and realized there were great talks that would be really interesting to Microsoft developers. About a year ago, we were sitting around during a weekly meeting and it was suggested that we could host our own “con” in Redmond for Microsoft engineers. I immediately liked the idea - I’d attended my first con in Singapore a couple of months before and the first hand experience was so powerful – the con took the learning and the understanding of the community from the theoretical to the visceral.


That Tuesday morning we batted the idea around for a bit, brainstormed on the how, the when and the what. We came up with the idea to call it BlueHat - Blue is the background color for full time employee badges and Hat is a reference to the Black Hat conferences upon which we modeled our event.  We discussed what kind of talks would be interesting to engineers and then we hit upon the brilliant (to my mind anyway J) idea to put on the con for the executives at Microsoft as well.  We loved the idea of educating engineers, but we realized that an equally big challenge and important goal was to educate Execs. Security is something that needs to happen and be understood at all levels of the company.


The first version of BlueHat was put together on a shoestring budget and a wing and a prayer.  We were really hopeful it would be a success, but there were plenty of challenges - we didn’t know if the speakers would want to come to Redmond and present, we didn’t know how many Microsoft engineers would want to attend, we didn’t know if *any* execs would attend, and we didn’t know how impactful/valuable people would find it. It turns out that we were just about spot on. We had well attended executive sessions and had over 500 engineers turn out for the first BlueHat. The response from them was great, and the researchers who came told us they learned a lot from the experience as well. So, we quickly got started planning the next BlueHat… fast forward to last week. BlueHat v2 followed the same format as the con in March, with a couple key improvements. Naturally we brought in different researchers and had new content, we booked a bigger room, we scheduled some one on one meetings with executives and basically tried to pack as much in as we could (we even made BlueHat t-shirts this time. J). It was a resounding success – we trained more than 1,280 engineers on Friday and delivered eye opening talks to more than 70 execs.


The highlight for me was the panel at the end of the day – and no, it wasn’t just because I was the moderator – but because the Microsoft audience got to hear expert opinions on a wide range of topics. It was a highly interactive hour during which security conscious and passionate engineers exchanged ideas and information. We didn’t solve all the worlds’ problems, but we did set some ideas in motion and we did continue the dialog. And that the biggest win - because security is such a multi-faceted, dynamic and broad reaching issue that affects everyone in the industry. It takes smart people from all communities to talk about the problems, to learn from each other and to come up with solutions.


I want to thank the speakers and my coworkers for helping make BlueHat v2 so successful. It was fun and rewarding and makes me want to do it all over again! (Yes we have already started planning the next BlueHat - date and topics are still tbd).


The Cush



*This posting is provided "AS IS" with no warranties, and confers no rights.*