Black Hat, Las Vegas: Enterprise
software companies are resistingMicrosoft's call to work together to reduce software
vulnerabilities, a Microsoft security expert
said yesterday.
Andrew
Cushman, director of Microsoft's security response centre, told
Computer Weekly some enterprise software firms had preconceived
ideas about working with Microsoft.
The situation was better at the consumer end, Andrew Cushman
said. For example, Microsoft and Adobe Systems, the firm that makes
the Acrobat document software, which has been targeted by hackers,
were working on a joint paper on binary file attacks and
prevention.
Microsoft was also a member of ICASI, the
firmware security group that
also has
IBM, Intel, Juniper and Cisco as members. Cushman said the
group constantly invited other software houses to join, so far
without result.
Many software firms regarded security as "motherhood and apple
pie". But Microsoft had made it a differentiating factor, he
said.
He said Microsoft was prepared to share the experience of the
past 10 years in developing more secure systems.
This lay behind Monday's announcement of
Project Quant, a vendor-neutral programme to
help CIOs evaluate and manage the cost of patch management more
accurately.
Research had shown that fewer than half of firms had a clear
process for managing patches, but 90% of vulnerabilities were now
in applications software, Cushman said.
This made
patch management essential to preventing infection passing it
on to others.
"
Patch management is the first line of defence," he said.
Cushman said future software security lay in the hands of the
internet community. Microsoft hoped to raise awareness of the need
for security at all levels so secure ways of working online became
embedded.
Microsoft was practising what it preached and it had spent a lot
of time thinking about how it did software updates, said Cushman.
"Automatic update is now the recommended advice to users," he
said.
This involved automating a secure channel, digitally signing the
binary files and signing and hashing the authenticating agent in
the client computer. This was to ensure neither it nor the software
was compromised in transit.
"With so many other companies setting up regular software update
programmes, I guess the message is getting through," Cushman
said.