Microsoft’s Security Saga Continues: Insights from Whistleblower

by | Jul 22, 2024 | Podcast

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

By loading the podcast, you accept Libsyn's privacy policy.
Read more

Load podcast

In this episode, Andy sits down once again with Paul to continue their conversation about Microsoft’s struggles with security. The episode focuses on a recent report from ProPublica about a Microsoft whistleblower named Andrew Harris. The report alleges that Microsoft was aware of a serious vulnerability in its on-premises Active Directory Federation Services (ADFS) software that could have enabled the SolarWinds supply chain attack, but chose not to fix it or disclose it to customers.

Andy and Paul discuss how Microsoft’s focus on new features and cloud growth over security, as well as the desire to win lucrative government contracts, may have contributed to this decision. They also touch on the challenges faced by Microsoft’s security response team and the broader issue of security being seen as a cost center rather than a profit driver.

Key Takeaways:

  • Microsoft ignored a serious ADFS vulnerability that could have enabled widespread attacks.
  • Security is often viewed as a cost center at Microsoft, rather than a profit driver. This mindset led to the ADFS vulnerability being ignored, as fixing it was not seen as a priority compared to delivering new features and products.
  • Microsoft was criticized for not being transparent about the ADFS vulnerability and not giving customers the option to implement mitigations, even if it meant sacrificing some functionality.
  • The ADFS incident is symptomatic of broader security culture problems at Microsoft, where security is not always prioritized, and technical debt or legacy systems are not adequately addressed.

Timestamps:

(02:22) – Explaining the Whistleblower’s Allegations and the SolarWinds Attack

(07:32) – Vulnerability in ADFS and Microsoft’s “Security Boundaries” Argument

(13:06) – Why Was the Issue Swept Under the Rug?

(19:16) – The Challenges Faced by the Microsoft Security Response Center (MSRC)

(26:24) – Satya Nadella’s Comments on Prioritizing Security over New Features

(27:38) – The Controversy Around the “Recall” Feature in Windows 11

Episode Resources:

ProPublica Article