Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
By Mike Reavey, General Manager, Trustworthy Computing
Today, at the RSA Conference Europe in Amsterdam, I gave a presentation on an important update to Microsoft’s security efforts – Operational Security Assurance (OSA). The design of a secure operations methodology is part of our ongoing commitment to enable trustworthy computing in all aspects of our online services, and OSA represents the next evolution of these efforts.
Since 2004, the Microsoft Security Development Lifecycle (SDL) has helped developers to build more secure software from the ground up. But the job doesn’t end there. Attacks do not necessarily target weaknesses in software. Some attacks are operational in nature, while others, like the Flame malware, target both software vulnerabilities and operational weaknesses. Defending cloud services against network attacks requires both strong development practices, like SDL, and a strong operational security regime. The following list includes a number of ways that OSA adds considerable value to the focus on infrastructure issues and operational security:
As Microsoft has begun the transformation to a devices and services company, I’ve recently focused more of my time on the security of online services. This was a natural transition for me, after a long tenure heading the Microsoft Security Response Center (MSRC) and leading the Program Management team focused on proactive application of SDL in our products and services. Over my ten years at the MSRC, I’ve had the pleasure of working with amazing people, and experienced and learned many things about the practical application of security principles at scale. This included the introduction of “Patch Tuesday”, the addition of the Exploitability Index, and seriously fun activities focused on our most talented security researchers, like the BlueHat Challenge and BlueHat Bounties. Along the way, I’ve worked through some of the more challenging security incidents in the industry.
Among the important lessons I learned is: “never waste a crisis” – embrace and build from the lessons of each incident. OSA honors that strategy.
To learn more about OSA, I encourage you to check out a new white paper, called Operational security for online services overview. This paper provides additional insight into how Microsoft approaches OSA.