Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
Microsoft has a proud history of leading the industry in application security, ever since Bill Gates’ famous Trustworthy Computing email nearly twenty years ago. So what does it mean for the rest of us when a security researcher like Evan Grant finds a vulnerability in Microsoft products?
In fact, we can all take heart from a few key aspects of this announcement.
First, even when you do everything right, things can still go sideways. Using a secure development life cycle is the best way to reduce risk when building software, but you can never eliminate risk entirely. Therefore, having a plan in place to respond to incidents is critically important, which is exactly what happened here.
Second, security researchers are an important part of the ecosystem, and can be friendly allies when treated properly. This means that your organisation should have one clear place for researchers to report issues, and you must respond to all inbound correspondence in a timely and respectful manner.
Finally, a solid, automated update procedure helps minimise the impact of disclosures like these. In this case, after Microsoft fixed the vulnerability, customers’ software was updated automatically.