Dive Brief:
- Microsoft said it will publish root cause data for its security vulnerabilities using the Common Weakness Enumeration industry standard, in a blog post released Monday.
- For decades, Microsoft has used its unique taxonomy to describe the causes for vulnerabilities. The change is part of a larger effort by the company to make its products and services more secure and boost transparency.
- “This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases,” said Lisa Olson, senior program manager, security release at Microsoft, in the blog post.
Dive Insight:
The change is “core to the goals” of Microsoft’s Secure Future Initiative, a program the company announced in November to overhaul the way it approaches security.
Microsoft unveiled the plan months after a state-linked threat group attacked Microsoft Exchange Online and gained access to customer emails. The overhaul was a comprehensive plan to transform the way the company produced software, with promises to become more transparent and enable a faster response to security vulnerabilities.
“At a minimum, this move by Microsoft will enable better communication between and among security practitioners, because all parties will be using a common lexicon, and entities responding to new Microsoft vulnerabilities won’t have to cross walk the new Microsoft root cause data to CWE data,” said Emile Monette, director of value chain security at Synopsys Software Integrity Group.
Charlie Bell, executive VP, Microsoft Security, said in November during the Secure Future Initiative announcement that the company set a goal of reducing the amount of time required to mitigate cloud vulnerabilities by 50% and would also speak out against non-disclosure restrictions placed on security researchers.
Microsoft is taking steps to be more transparent and forthcoming, said Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute. The company released a record, 147 patches for Windows and related software in the most recent Patch Tuesday update.
“At a time when there is greater scrutiny on Microsoft's failures or deficiencies in security, making a substantive change in how the company approaches examining root causes of security vulnerabilities would be a smart move,” Chang said via email.
Source link