Tom Gallagher, author of the forthcoming Hunting Security Bugs, sent the following in reply to my Microsoft Is Getting It post:
Hello Richard. Last weekend I read your blog about Microsoft BlueHat and our security books and thought you might be interested in some more information about these topics.
I joined the company almost 7 years ago. In that time, I've seen some major changes happen around how the company views security. As you are aware, the company didn't focus much on security back then. I was one of the few people at the company who did fulltime penetration testing. I worked on a small product team within Microsoft Office and was responsible for testing only it. Today things are very different. In Office's vision document for the release, the first tenet is about the importance of security. Unlike when I started, security is now the responsibility of everyone creating the software - not just the person writing the code, but also the people who design, test, and document it. Other products across the company do similar things. We're certainly not perfect, but are working harder and harder to get better.
As you noticed, we proactively try to learn about security issues from external researchers and bring them to Redmond to present to the product teams. The cool thing about this is it allows many people to get direct exposure to the information. For example, I can't justify sending everyone on my team to a security conference twice a year, but I can send them to BlueHat that often. We continue to send people to external conferences too. Since security is everyone's responsibility, people who don't work on security fulltime also attend BlueHat. It is unlikely that those people would attend external security conferences often.
I'm one of the authors of an upcoming MSPress title (Hunting Security Bugs). This book allows feature testers to understand how to find security bugs in their product. Writing Secure Code is for developers to understand how to create secure software; the testing book teaches testers how to ensure that carefully probing for vulnerabilities. Both books cover a wide variety of topics. And of course testers aren't limited to the people who work on the team creating the software.
If you have any questions for Tom, please post them here.