The Microsoft Team Racing to Catch Bugs Before They Happen

It is no surprise that the maker of the ubiquitous Windows operating system is focused on security defense. Critical vulnerabilities, which are being exploited by attackers out in the world, are included in Microsoft's Patch Tuesday updates.

The company has groups that can hunt for weaknesses in its code and develop solutions. In order to catch even more mistakes and flaws before things get out of hand, the format has evolved again. The red team, blue team, and green team are all part of the Microsoft offensive research and security engineering department.

David Weston is Microsoft's vice president of enterprise and operating system security who has been at the company for 10 years. I have been in security for many years. We were thought to be annoying for a long time. The leaders are coming to me and asking if I'm ok. Did we do everything we could? That's been a big change.

Safe coding practices are promoted across Microsoft so fewer bugs end up in the company's software. OneFuzz allows Microsoft developers to be constantly, automatically throwing their code with all sorts of unusual use cases to ferret out flaws that wouldn't be noticed if the software was only being used as intended.

At the forefront of promoting the use of safer programming languages is the combined team. They have advocated for security analysis tools to be embedded directly into the real software. Weston says the change has had an impact because it means developers aren't doing hypothetical analysis in a simulation where some bugs might be overlooked.

The shift towards proactive security has led to progress. An important part of the group's job is to vet historic software, since so much of the Windows codebase was developed before these expanded security reviews. A remotely exploitable bug that could have allowed attackers to access targets' devices was discovered while looking at how Microsoft implemented Transport Layer Security 1.3.