"The Microsoft Team Racing to Catch Bugs Before They Happen"
As cybercriminals, state-backed hackers, and scammers continue to flood the zone with digital attacks and aggressive campaigns around the world, Microsoft, the maker of the ubiquitous Windows operating system, is focusing on security defense. Microsoft's Patch Tuesday updates often include fixes for critical vulnerabilities, such as those actively exploited by attackers. The company already has the necessary teams in place to look for flaws in its code (i.e., red team) and develop mitigations (i.e., blue team). However, that format has recently evolved to encourage more collaboration and interdisciplinary work in the hopes of catching even more errors and flaws before things spiral out of control. The department, known as Microsoft Offensive Research & Security Engineering (Morse) combines the red team, blue team, and so-called green team, which focuses on finding flaws or taking weaknesses discovered by the red team and fixing them more systemically through changes to how things are done within an organization. Morse has been working to promote safe coding practices so that fewer bugs end up in the company's software. OneFuzz, an open-source Azure testing framework, enables Microsoft developers to constantly and automatically hit their code with all types of unusual use cases to find flaws that would go undetected if the software was only used as intended. The combined team has been encouraging the use of safer programming languages, such as Rust, throughout the organization. They have also advocated for security analysis tools to be embedded directly into the real software compiler used in the company's production workflow. This change has had an impact because it prevents developers from performing hypothetical analysis in a simulated environment, where some bugs may be overlooked at a step removed from real production. According to the Morse team, the shift toward proactive security has resulted in significant progress. For example, Morse members recently discovered a remotely exploitable bug while investigating how Microsoft had implemented Transport Layer Security 1.3, the foundational cryptographic protocol used across networks such as the Internet for secure communication. This article continues to discuss the Morse team and how their proactive security approach.
Wired reports "The Microsoft Team Racing to Catch Bugs Before They Happen"