|
Vatsal
|
 |
« on: December 29, 2005, 10:48:09 PM » |
|
Microsoft takes tips from hackers
John Sterlicchi
SEP 23, 2005
MICROSOFT is reaching out to hackers in another bid to beef up its software security.
The company is organising a two-day security seminar called Blue Hat at its corporate headquarters.
The name mingles the colour of Microsoft's logo with a tribute to Black Hat hacker-fests, which have been around for several years.
The Blue Hat conference, to be held in October, will be the second time Microsoft has invited about 10 security researchers, as it prefers to call them, to its Seattle campus. The first Blue Hat was so successful that similar events will be held every six months or so, Microsoft security response team manager Stephen Toulouse says.
On the first day of the conference, researchers will meet Microsoft senior managers in charge of various software products to discuss how security and the choices made by executives affect customers.
On the second day they will talk to the developers, who write the code.
While the researchers talk to several hundred people, Blue Hat is recorded and webcast on the company's network so anyone who wants to can hear and see what is going on. Microsoft is committed to educating its developers in writing more secure software, using a process called Security Development Lifecycle, which all company products go through.
The aim of this, of course, is to improve security.
Toulouse says the training is very intellectual and covers areas such as how to avoid writing buffer overruns and how to avoid using dangerous functions.
Blue Hat brings a completely different perspective to developer training.
"When a security researcher is on stage and showing, for example, how they can lure an XP Professional computer on to a potentially malicious wireless network, it really hits you in the gut," he says.
"Our developers really get to see some of the ways people are misusing functionality. They come away with that knowledge. Now, when they are designing user interfaces that customers will end up seeing, and have to make decisions on, they have a new perspective on how our products could be misused and they can try to minimise that.
As well as being a training exercise, Blue Hat promotes positive relationships between Microsoft's developers and the security community, Toulouse says. "We show these guys that our people are also passionate about security and that we want to do things differently to help make the products secure," he says.
Shane Macaulay, a security researcher who attended the first Blue Hat, says the event was a success.
"Microsoft really rolled out the red carpet," he says.
"I'm sure they will invest more time and resources in future events."
Both Microsoft and the security consultants benefited from the event, he says, particularly in information sharing. "For instance, when sensitive security topics came up, the developers were able to interject with the design criteria and other motivations as to why an application behaved the way it did," Macaulay says.
"Microsoft definitely benefits from the partly closed venue, allowing a more open and free exchange of ideas with external industry experts."
Toulouse says the feedback Microsoft received from the security consultants was very positive.
"They appreciated the opportunity to meet the people who are writing the code and to have a chance to really influence some of the decisions that we are making," he says.
|
INFORMATION CLUB
