Microsoft Corp. is in the process of overhauling its security response process in an effort to get patches to customers more quickly and to make it easier for researchers to report vulnerabilities. The company is also beginning to use the data that it collects in this process as part of its Secure Windows Initiative (SWI) training.
One of the largest components of this change is an independent testing process for every patch that the company creates. After the Microsoft Security Response Center team builds a new patch, it is submitted for testing. The MSRC also now sends fixes to the individual researchers who discovered the vulnerabilities to verify that they actually fix the issue at hand.
The goal is to avoid regression errors and other embarrassing problems that have plagued Microsoft patches in the past.
"Were trying to make it as easy as possible for people to make their systems secure," said Scott Culp, manager of the MSRC in Redmond, Wash. "Were focusing on engineering and process improvements."
Another key change is the creation of a Web-based form for submitting vulnerability information. In the past, researchers who found flaws in Microsoft products would send an e-mail message to firstname.lastname@example.org. A member of the MSRC staff would then respond and there would ensue an often-lengthy e-mail exchange as Microsoft tried to verify the vulnerability and get as much information from the researcher as possible.
Now, researchers can fill out the form with all of the information, and Microsoft officials will contact them if they have further questions. The MSRC will also continue to accept submissions via e-mail, but Culp said the Web form will help speed up the response and patch-building process.
"Were getting information significantly faster, and we should be able to cut a couple of days off the turnaround time," he said. "If people arent getting patches fast enough, somethings not working. Were trying to make the patches more manageable to increase usage."
The MSRC is also trying as often as possible to release patches during the middle of the week to increase the likelihood that IT organizations will be fully staffed and able to respond and install the patch as soon as possible.
The SWI team, one of the main drivers of the companys Trustworthy Computing effort, is now taking the data from the post-mortems that the MSRC does on each patch it produces and using it to help train developers on the tenets of writing secure code.
- Microsoft Warns of SQL Server Flaws
- Microsoft Shelled Out Millions on Security
- Interview: Trusting in Microsoft