Microsoft has been hiring hackers to help improve its security and research work for the past few years and a new blog by a Microsoft employee will feature these hackers and their projects.
An unnamed Microsoft employee, who goes by the online name of techjunkie, unveiled their hackers@Microsoft blog
"We employ white hat hackers who spend their time penetration testing and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don't see them once we've released that code into the wild," according to the blog.
Andrew Cushman, director of the both the Microsoft Security Research Center and the company's outreach to the security community, said this week that the hiring of these hackers naturally sprang up from hiring security contractors for help on certain projects and has grown from those first few full-time hires.
The company said it hires "white hat" hackers, who use their skill and knowledge to help improve security, which is in contrast to "black hat" hackers who use their skills to commit online fraud or theft.
In the past, Microsoft has come under attack for a certain lack of security in its products, leading the company to make Windows Vista, its latest operating system, much more secure than other versions. In order to do that, though, it meant releasing it much later than originally planned.
For the last several years, Microsoft has reached out to the security industry, hiring them to help penetration test Windows Vista, for example, and educate its technical and executive employees about cutting edge technology, Cushman said. One of the most important ways these hackers have contributed to improved security for IT administrators is making Microsoft's updates complete.
"Microsoft has worked hard to build its reputation with the most well-known bug finders, and I think that has benefited them, particularly in the software development world," said Peter Lindstrom, an analyst with the Burton Group, in Midvale, Utah. He said he feels the quality of patches has probably improved, those "feelings" on his part and from Microsoft aren't conclusive evidence that they have actually improved. Lindstrom would prefer to see hard statistics from Microsoft and from other vendors, such as Oracle and Red Hat, so comparisons could be made.
"It's important to make sure that when we fix a security vulnerability with an update, that we fix it all," Cushma said. "The worst thing we can do is release [an update] and then have customers say, 'You know what? You fixed that, but you missed this.'" The work of hackers has helped dramatically increase the quality and completeness of the monthly updates, he said.
When updates have to be re-released, that means IT managers lose money because they have to spend additional time with the updates, and Microsoft then suffers because it has less credibility with customers, he said.
In the development of Windows Vista, Microsoft helped make a more secure operating system for customers, said Cushman.
The outreach efforts to the security industry have also led to Microsoft's presence at hacker conferences such as Black Hat, but it has also led to the creation of a Blue Hat conference for Microsoft technologists and executives where hackers come in and make presentations on new vulnerabilities and cutting edge security technologies.
Microsoft's embrace of white hat hackers and the security community has given it more credibility and a seat at the table when issues come up within that community, he said.