Microsoft Security Staffer Launches 'Insider' Blog

A new independent blog launched by a Microsoft security technologist promises to pull back the curtain on just what the software giant's internal white hat hackers are up to.

The bold new hackers@microsoft blog -- which went up late last month and is not affiliated with the company -- promises to be a "different" type of blog than the others on blogs.msdn.com.

The blog's founders say Microsoft has its own "white hat hackers" who search for weaknesses and vulnerabilities by doing penetration testing and code review. The goal is to find flaws and release code for them -- so the bad guys don't do it first, according "techjunkie," a.k.a. Ahmad Mahdi, a security technologist for Microsoft's Application Consulting & Engineering (ACE).

"We employ many, many smart testers who know more about some of our software then perhaps the architects who designed it," Mahdi writes in the blog's first entry. "We also employ some of the top researchers in their industry, dedicated people working on the bleeding edge of what's going to be commonplace in the next five or ten years of computing.

"So yes, Microsoft does have hackers, and it's time to introduce you to some of them, and show you what it is, exactly, that they do," Mahdi writes.

It's not clear whether the blog will last, however. A Microsoft spokesman says the company can't comment on the future of the blog since it's an independent one.

Christopher Budd, security program manager for Microsoft, said via email that Microsoft has over 4,500 MSDN and TecNet bloggers, plus a number of employees who have their own indie blogs, such as hackers@microsoft.

"Microsoft’s bloggers are, by and large, the domain experts in their areas. As a company full of people passionate about technology, our overall belief is that these individuals will do the right thing and focus their blogs on useful purposes," Budd says.

"While there is no official policy for blogging, Microsoft encourages its employees to be smart when blogging," Budd adds. "Giving our employees the ability to do great things with customers and community is something deeply embedded into our culture, and creating opportunities to connect with customers is a natural extension of Microsoft’s corporate DNA."

Mahdi was not available at the time of this posting, and the only blog entry on hackers@microsoft is still the original one -- which security experts say is probably no coincidence.

Budd notes that Microsoft does have security pros who do penetration testing, as well as other tasks, and that the company also works with outside researchers, security vendors, and government agencies.

"While TwC [Trustworthy Computing] has already significantly improved code quality and provided customers with better defense in depth, we believe that no matter how few security vulnerabilities remain, security researchers will have a hand in helping customers stay ahead of contemporary security threats," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.