Microsoft to Boost Security Response | eWeek

Microsoft to Boost Security Response

Écrit par
Dennis Fisher
Dennis Fisher
Jul 26, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. is in the process of overhauling its security response process in an effort to get patches to customers more quickly and to make it easier for researchers to report vulnerabilities. The company is also beginning to use the data that it collects in this process as part of its Secure Windows Initiative (SWI) training.

One of the largest components of this change is an independent testing process for every patch that the company creates. After the Microsoft Security Response Center team builds a new patch, it is submitted for testing. The MSRC also now sends fixes to the individual researchers who discovered the vulnerabilities to verify that they actually fix the issue at hand.

The goal is to avoid regression errors and other embarrassing problems that have plagued Microsoft patches in the past.

“Were trying to make it as easy as possible for people to make their systems secure,” said Scott Culp, manager of the MSRC in Redmond, Wash. “Were focusing on engineering and process improvements.”

Another key change is the creation of a Web-based form for submitting vulnerability information. In the past, researchers who found flaws in Microsoft products would send an e-mail message to secure@microsoft.com. A member of the MSRC staff would then respond and there would ensue an often-lengthy e-mail exchange as Microsoft tried to verify the vulnerability and get as much information from the researcher as possible.

Now, researchers can fill out the form with all of the information, and Microsoft officials will contact them if they have further questions. The MSRC will also continue to accept submissions via e-mail, but Culp said the Web form will help speed up the response and patch-building process.

“Were getting information significantly faster, and we should be able to cut a couple of days off the turnaround time,” he said. “If people arent getting patches fast enough, somethings not working. Were trying to make the patches more manageable to increase usage.”

The MSRC is also trying as often as possible to release patches during the middle of the week to increase the likelihood that IT organizations will be fully staffed and able to respond and install the patch as soon as possible.

The SWI team, one of the main drivers of the companys Trustworthy Computing effort, is now taking the data from the post-mortems that the MSRC does on each patch it produces and using it to help train developers on the tenets of writing secure code.

Related Stories:

  • Microsoft Warns of SQL Server Flaws
  • Microsoft Shelled Out Millions on Security
  • Interview: Trusting in Microsoft
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.