Black Hat, Las Vegas: Enterprise software companies are resisting Microsoft's call to work together to reduce software vulnerabilities, a Microsoft security expert said yesterday.
Andrew Cushman, director of Microsoft's security response centre, told Computer Weekly some enterprise software firms had preconceived ideas about working with Microsoft.
The situation was better at the consumer end, Andrew Cushman said. For example, Microsoft and Adobe Systems, the firm that makes the Acrobat document software, which has been targeted by hackers, were working on a joint paper on binary file attacks and prevention.
Microsoft was also a member of ICASI, the firmware security group that also has IBM, Intel, Juniper and Cisco as members. Cushman said the group constantly invited other software houses to join, so far without result.
Many software firms regarded security as "motherhood and apple pie". But Microsoft had made it a differentiating factor, he said.
He said Microsoft was prepared to share the experience of the past 10 years in developing more secure systems.
This lay behind Monday's announcement of Project Quant, a vendor-neutral programme to help CIOs evaluate and manage the cost of patch management more accurately.
Research had shown that fewer than half of firms had a clear process for managing patches, but 90% of vulnerabilities were now in applications software, Cushman said.
Cushman said future software security lay in the hands of the internet community. Microsoft hoped to raise awareness of the need for security at all levels so secure ways of working online became embedded.
Microsoft was practising what it preached and it had spent a lot of time thinking about how it did software updates, said Cushman. "Automatic update is now the recommended advice to users," he said.
This involved automating a secure channel, digitally signing the binary files and signing and hashing the authenticating agent in the client computer. This was to ensure neither it nor the software was compromised in transit.
"With so many other companies setting up regular software update programmes, I guess the message is getting through," Cushman said.