Businesses should open their own vulnerability research centres, according to Microsoft.
According to The Register, Microsoft’s Jeremy Brown said that the opening of the Microsoft Vulnerability Research (MSVR) team and centre in 2008 allowed Microsoft security researchers to safely report bugs and vulnerabilities they found in third-party software in a bid to shore up the security ecosystem of the wider internet and by extension, the company’s infrastructure.
Brown recommended businesses open their own versions of MSVR because “it will help boost morale among security staffers and bug hunters, and improve the security posture of the enterprise and the wider internet”.
Asked whether this was something that could be done by most businesses, James Forshaw, consultant and vulnerability researcher at Context, said: “Individual vulnerability research is becoming more widespread within the computer industry, especially with the promise of bug bounties for vulnerabilities discovered. It is therefore important for companies to try and co-ordinate the disclosure of vulnerabilities to third-parties for issues discovered by their employees.
“A good reason to do so, especially for large software vendors such as Microsoft, is that a vulnerability might not be isolated to just a third-party vendor’s products. By co-ordinating the disclosure, it is possible for a company to verify their own exposure to new vulnerabilities and ensure any issues are remediated within similar time frames to the affected third-party. In this respect MSVR is just a public example of a more general trend in the industry to better manage vulnerability disclosure.
Forshaw said that Context has something very similar internally, as it encourages its consultants to find new vulnerabilities during internal research time as well.
“By managing the disclosure of vulnerabilities internally we can remove some of the time consuming aspects of the disclosure process,” he said. “It also helps us co-ordinate the disclosure of vulnerabilities discovered during consultancy engagements to ensure they are fixed as soon as possible to improve the security posture of Context’s clients. It is to be expected that other companies are doing similar things internally, just have no reason to discuss it publically.”
Trey Ford global security strategist at Rapid7, said: “Vulnerability handling isn’t easy. Everyone has an opinion on how to do it, and it isn’t always as straightforward as one might think.
“In the course of routine security testing, or as highlighted here – even inbound notifications – external organisations, platforms, and code can be impacted by a single vulnerability disclosure. MSVR would be an excellent model to centralise those communications, which spider web very quickly.
“Large organisations will routinely face this challenge – but this is not foreign to the medium-sized organisation. Those with healthy web application security practices will have a centralised function to track software defects against software suites – it is not unusual to find bugs in third party software in the course of an assessment.”
However Adrian Davis, managing director for EMEA at (ISC)2, told IT Security Guru that this was not possible, called it a “flippant” remark and asked if Microsoft would pay for it. He said: “A bank is not there to test software, it should not be one of their functions.”