Friday, August 08, 2008

Security is Everyone's Domain

The story began in February when security expert, Dan Kaminsky discovered a serious DNS ("Domain Name Services") vulnerability. What followed was a high level meeting in Redmond, Washington, an incredible coordination and behind-doors work resulting in the largest simultaneous software patch in history on July 8, 2008. You can read the amazing process in Seattle security expert helped uncover major design flaw on Internet by Daniel Lathrop and Paul Shukovsky.

Another contributory event, described in the newly born MSRC Ecosystems Strategy Team Blog, Threats in a Blender, and Other Raisons d'ĂȘtre, as the Blended Threat, resulted in Microsoft Security Advisory (953818), "Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform" and About the security content of Safari 3.1.2 for Windows

These and other events have culminated in the beginnings of a "community-based defense" system. As described by Microsoft’s George Stathakopoulos on ZDNet in Security is everyone’s domain:

"It is time we come together and use the combined strength of the industry, partners, customers and public organizations, and act in unison to build a more secure environment for everyone.

It is time for industry to adopt a community-based defense approach."
The process described by Stathakopoulos includes
Sharing Development Best Practices
Investments in Security and Defense Knowledge
In a coordination effort, referred to as Microsoft Vulnerability Research (MSVR), the Microsoft security team will work with third-party vendors, providing specific vulnerability information and assisting in the creation of updates.

In conjunction with MSVR, Microsoft also announced MAPP (Microsoft Active Protections Program). Through MAPP, Microsoft will provide other security vendors advance information about vulnerabilities addressed by Microsoft security updates, thus allowing those vendors to provide similar protection to their customers on a much faster timeline.

Also announced is the Exploitability Index which will provide guidance on the likelihood of functional exploits being developed for vulnerabilities addressed by Microsoft security updates. Risk management and deployment of security updates involves a considerable amount of time in the corporate IT world. The Exploitability Index, to be included as part of Microsoft’s monthly security bulletin release, will assist in the evaluation.

MSRV, MAPP and the Exploitability Index were announced by Microsoft at Black Hat USA 2008. Another security enhancement of interest, announced by Jerry Bryant, Business, Operations & Communications Manager on the Security Response Communications team, is the publication of the monthly Security Bulletin Webcast Questions & Answers on the MSRC Blog. This will be helpful to IT Professionals who are unable to attend the webscast.

I applaud the collaboration efforts that will be involved in these programs and hope that the security vendors are both receptive and take an active part in the process.

Additional Reading and References:

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: