[ISN] Microsoft to share "security lessons" with New Zealand government

From: InfoSec News (alerts@private)
Date: Mon Oct 23 2006 - 00:15:36 PDT


http://computerworld.co.nz/news.nsf/news/22761C817C53E02FCC25720D0002280E

By Stephen Bell
Wellington 
23 October, 2006

Microsoft has set up a Security Cooperation Programme (SCP) along with 
New Zealands Centre for Critical Infrastructure Protection (CCIP).

The SCP, a recently established Microsoft programme, formalises the 
business of reporting to government partners information on threats and 
vulnerabilities, said Microsofts chief privacy strategist, Peter Cullen, 
while on a visit to New Zealand earlier this month.

The programme aims to mitigate against threats to national security. It 
also incorporates an element of citizen outreach communicating with the 
public about the benefits of the programme.

The security of computers today is a significant challenge and Microsoft 
has been rightly criticised for falling short of expectations in terms 
of exploitable vulnerabilities in its software, Cullen says.

Despite a continuing run of such bugs, and a controversy earlier this 
month about delays in issuing a patch to a zero-day exploit, Cullen 
contends that Microsoft is making significant investments, and advances, 
in making its applications more secure.

As evidence of this, he says exploits are moving up the stack, with an 
increasing number of them using vulnerabilities in applications that run 
on Microsoft platforms but are produced by other companies.

As Microsoft learns its security and privacy lessons, it will be sharing 
them, Cullen says.

The company has published a book on the security development lifecycle 
it has developed, and has followed this up with a set of privacy 
guidelines. These advise developers on appropriate ways of seeking 
consent when asking a customer to supply personal information in 
connection with their application.

Microsofts guidelines also include briefs on what information is 
retained by products, such as its Internet Security and Acceleration 
(ISA) server, and how to configure servers to provide appropriate 
protection to users.

The SCP idea represents another phase in the companys plan for paying 
closer attention to security matters, says Cullen.

Prevention of cyber disruptions and improving our capacity to respond to 
incidents in a timely manner are essential to the security of the 
nation, the economy and public health and safety, says CCIP manager 
Richard Byfield.

Partnerships between the public and private sector, or initiatives like 
the Security Cooperation Programme, are fundamental to ensuring better 
preparedness, and for developing innovative solutions for securing New 
Zealands cyber-based systems and assets.

The types of data to be exchanged include: information about publicly 
known and reported vulnerabilities that Microsoft is investigating; 
information about forthcoming and already released software updates; 
security incident metrics and information on Microsoft product security.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Oct 23 2006 - 00:28:52 PDT