Like a rush Cybercriminals, state-backed hackers, and scammers continue to flood the region with digital attacks and aggressive campaigns around the world, it’s no surprise that the system maker Popular Windows operating systems focus on security protection. Microsoft’s third patch update released frequent contains fixes for critical vulnerabilities, including those actively exploited by attackers around the world.
The company has necessary group to look for weaknesses in its code (“red group”) and develop mitigations (“green group”). But recently, that format has evolved again to foster more collaboration and interdisciplinary work in hopes of catching more bugs and errors than before. begin arrive spiral. Called Microsoft Attack Research & Security Engineering, or Morsethis division combines the red group, the blue group and the so-called green group, focusing on finding the flaws or dealing with the weak points found by the red team and correcting them one by one. more systematically through changes to the way things are done in an organization.
“People believe you can’t move forward without investing in security,” said David Weston, Microsoft’s vice president of enterprise and operating system security, who has been with the company for 10 years. “I have been in the security field for a very long time. For most of my career, we were seen as annoying. Now, if anything, leaders will come to me and say, ‘Dave, am I okay? Have we done everything we can? ‘ That’s a significant change. “
Morse has been working to promote secure coding practices across Microsoft so there are fewer bugs in the company’s software in the first place. OneFuzz, an open source Azure testing framework, allows Microsoft developers to seamlessly, automatically generate their code with all kinds of unusual use cases to find unnoticeable bugs if the software software is only used as intended.
The hybrid team has also been at the forefront of promoting the use of safer programming languages (like Rust) throughout the company. And they have advocated embedding security analysis tools directly into the real software compilers used in the company’s production processes. Weston says that change has a dramatic effect, because it means developers aren’t doing hypothetical analysis in a simulated environment where some bugs might be missed at one step. removed from the actual production process.
Morse’s team says the shift to proactive security has led to real progress. In a recent example, members of Morse were examining historical software — a key part of the team’s work, as so much of the Windows codebase was developed before the extensive security reviews. this. While examining how Microsoft has implemented Transport Layer Security 1.3, the foundational cryptographic protocol used on networks like the internet for secure communication, Morse discovered a remotely exploitable bug that could allowing an attacker to gain access to the target’s device.
As Mitch Adair, Microsoft’s lead security lead for Cloud Security, put it: “It will be as bad as it happens. TLS is used to secure essentially every product or service that Microsoft uses. “
