Katie Moussouris here. I’m the newest Security Strategist here at Microsoft. I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team. I work in the group that is responsible for securing current and future Microsoft products.
My background is application security, having come from Symantec by way of the @stake acquisition. I founded and ran the Symantec Vulnerability Research Program. Before that, I spent many years as an application penetration tester, security researcher, and started the security response program for an OS company. There were penguins involved – but that can be our little secret (just between you, me, and the Internet). ;-)
This installation of BlueHat was my first attendance as an “insider”, and I was able to see for myself that the true beauty of BlueHat was making sure the right people met and spoke to each other outside of the lectures. The event allows for the natural convergence of passionate technologists (researchers and MS engineers alike) to come together and brainstorm about ways to protect end users now and in the future.
One of these opportunities for interaction was introducing RSnake to the IE team and anti-phishing task force so that they can talk about how we can work together to come up with better ways to fight phishing, cross-site scripting, cross-site request forgeries, and their ilk. I can’t wait to see what the researchers bring us in September!
Another cool thing I got to do in my first 30 days at Microsoft was speak at ToorCon Seattle (Beta). (See – I wasn’t assimilated.)
The talk was titled “Vulnerability Disclosure Panel Remix” and it was the perfect opportunity to ask the security community “What makes a ‘good vendor’ from a researcher’s perspective?”
This direct feedback from the research community can help not just Microsoft find more efficient ways to maintain friendly relationships with researchers, but also help other vendors improve their researcher relations. It’s my job to help Microsoft lead the way when it comes to proactive security community outreach. My 20 minutes of running around in the audience this past Saturday with mic in hand was more than a “How’s my driving?” exercise; It was a “How’s everyone’s driving?” exercise. We all share the road, traffic is heavy, and we all have some miles to go before we reach home.