By Stephen Bell
23 October, 2006
Microsoft has set up a Security Cooperation Programme (SCP) along with
New Zealands Centre for Critical Infrastructure Protection (CCIP).
The SCP, a recently established Microsoft programme, formalises the
business of reporting to government partners information on threats and
vulnerabilities, said Microsofts chief privacy strategist, Peter Cullen,
while on a visit to New Zealand earlier this month.
The programme aims to mitigate against threats to national security. It
also incorporates an element of citizen outreach communicating with the
public about the benefits of the programme.
The security of computers today is a significant challenge and Microsoft
has been rightly criticised for falling short of expectations in terms
of exploitable vulnerabilities in its software, Cullen says.
Despite a continuing run of such bugs, and a controversy earlier this
month about delays in issuing a patch to a zero-day exploit, Cullen
contends that Microsoft is making significant investments, and advances,
in making its applications more secure.
As evidence of this, he says exploits are moving up the stack, with an
increasing number of them using vulnerabilities in applications that run
on Microsoft platforms but are produced by other companies.
As Microsoft learns its security and privacy lessons, it will be sharing
them, Cullen says.
The company has published a book on the security development lifecycle
it has developed, and has followed this up with a set of privacy
guidelines. These advise developers on appropriate ways of seeking
consent when asking a customer to supply personal information in
connection with their application.
Microsofts guidelines also include briefs on what information is
retained by products, such as its Internet Security and Acceleration
(ISA) server, and how to configure servers to provide appropriate
protection to users.
The SCP idea represents another phase in the companys plan for paying
closer attention to security matters, says Cullen.
Prevention of cyber disruptions and improving our capacity to respond to
incidents in a timely manner are essential to the security of the
nation, the economy and public health and safety, says CCIP manager
Partnerships between the public and private sector, or initiatives like
the Security Cooperation Programme, are fundamental to ensuring better
preparedness, and for developing innovative solutions for securing New
Zealands cyber-based systems and assets.
The types of data to be exchanged include: information about publicly
known and reported vulnerabilities that Microsoft is investigating;
information about forthcoming and already released software updates;
security incident metrics and information on Microsoft product security.
Visit the InfoSec News store!