Katie Moussouris, Senior Security Strategist at the
Microsoft Security Response Center, and Mother of Microsoft
bounty programs, presented at our ISSA Capital of Texas Chapter meeting today. Katie
is refreshingly unabashed, putting a fresh new face and positive attitude on
Microsoft and security. She’s absolutely
not a stodgy, arrogant guy in an ugly suit being indignant about being a target. It more looks like she is a part of the solution.
Quick version: Microsoft bounty programs are now paying real
and significant dollars to ethical hackers who want to do the right thing,
which is to use their talents to let the vendor fix security problems before
criminals have the pleasure of exploiting them.
Katie described Black Market, Grey Market and White Market
approaches. Enlightened technology
providers understand all three, and provide ways for smart hackers to “do the
right thing.” Microsoft is proving
itself to be enlightened on this count, with this bounty program. Good bounty programs scare out targeted
attacks out faster, sparing law-abiding users from being hurt.
A few details:
- Companies like Microsoft have target dominance. If nobody cares about your company, you’re not a target. If you are a market leading target, consider a bounty program. Such a program will benefit your users in flushing out weaknesses and vulnerabilities before they can hurt your users.
- Bounty programs will not tend to attract bad guys, because they know they will make more money with the Black Market. Well of course. However, most smart programmers are intrinsically good, wanting to solve problems and foil the bad guys – hence bounty programs are just good business.
- Bounty programs can’t take the place of good security programming practices. Sure, it’s great ad-hoc penetration testing, but it doesn’t take the place of investing in security.
All of that, plus Katie wore boots in Texas style!
No comments:
Post a Comment