What Blue Hat Really
Does for Microsoft Developers"> "Blue Hat is just part of a larger picture, which is a really broad effort to make Microsoft accessible," said Adam Shostack, an independent security consultant in Atlanta who participated in the Blue Hat event in October. "Pretty much any [security] conference you go to, theres a Microsoft presence.""Microsoft still has a long way to go, but theyre making an effort to build good relations with researchers, including myself," said Tom Ferris, an independent security researcher in Mission Viejo, Calif., who runs the Security-Protocols.com Web site and has published details on several unpatched holes in Microsofts products. Compared with other organizations, Microsoft representatives go out of their way to show respect to researchers, Ferris said. "Theyre not hostile or offensive in e-mails. ... Theyre always nice. They dont want to [tick] off the researcher," Ferris said. Thats a big change for a company that had a reputation for giving frosty receptions to people who reported bugs. On the security front, Blue Hat hasnt yielded "aha" security moments as much as it has broadened the thinking of Microsofts developers, said Stephen Toulouse, security program manager at Microsofts Security Response Center. "What were striving for is an outside perspectivegetting developers to understand the misuse of code," Toulouse said. But there are still more than a few researchers who see the Blue Hat conferences as little more than shrewd PR for a company that is widely believed to produce insecure software. "Microsoft got their ass handed to them by worms. It was a public embarrassment and bad [public relations]," said eEyes Maiffret, whose company frequently finds and reports critical holes in Microsofts products and has had a testy relationship with the company for years. Maiffret gives Microsoft high marks for improving the quality of its code in recent years. But events such as Blue Hat are more public relations than serious security work, he said. The experts who have been invited to the event are not the same researchers who are discovering the critical holes in the companys products, he said. Still, experts and Microsoft insiders say that warm, fuzzy relations with the independent security community is just one part of the companys security makeover under Trustworthy Computing, but not the most important. The whole initiative, especially Blue Hat, is really about increasing the security know-how of its developers, said Mike Howard, senior security program manager at Microsoft and an author of Microsofts Security Development Lifecycle program, which many experts credit with improving the quality of the companys code. Microsoft has also used the power of its bulging purse to buy up or bring under contract some serious security talent. Litchfields NGSS counts Microsoft as a customer, and Ferris claims the company offered him a position on its kernel development team, which he turned down. A Microsoft spokesperson said the company doesnt comment on hiring issues. "Microsoft has hired an awful lot of my friends in the last few years," said Shostack, who has never worked for Microsoft. "These are all security people, and theyre all over the company." "Theyre using their monopoly power. Its not all bad, but there are some who look at it in a cynical light," said Gary McGraw, chief technology officer of Cigital Inc., in Dulles, Va., who declined to comment on whether his company, which helps vendors write secure applications, is under contract to Microsoft but admitted having worked with the company in the past. Still, more security know-how coupled with better programming and liberal use of automated security scanning tools have eliminated many easy-to-exploit buffer overflow and string copy holes, experts agree. "The best way to think about it is as an iceberg floating south. Its gradually getting smaller, and the bug hunters are scrambling for space," said Litchfield in Surrey, England. Next Page: The hacker bulls-eye could be shifting.
More interaction with the research community has given Microsoft a softer touch, even with so-called grey-hat hackers who dont always toe the corporate line or adhere to the companys vulnerability disclosure policies.