Microsoft Security and Phone Apps

Home Forums Technology Microsoft Security and Phone Apps

This topic contains 1 reply, has 1 voice, and was last updated by  Henry Brown 5 years, 2 months ago.

  • Author
    Posts
  • #179446

    Henry Brown
    Participant

    From Microsoft Security Response Center

    New Security Policy for Store Apps

    Microsoft has announced a new policy to help ensure the security of apps that are available through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. The policy, which is effective immediately, requires developers to fix security vulnerabilities in their apps and enables Microsoft to remove an app from sale if the developer does not provide an effective fix. The requirement applies to all apps available in the online stores, including Microsoft apps.

    The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered. Microsoft has a long history of working with third-party developers and researchers to resolve security vulnerabilities. When Microsoft researchers find vulnerabilities in apps, we work directly with app developers through the Microsoft Vulnerability Research program. So far, we have had excellent cooperation from developers in fixing vulnerabilities in their programs. The policy change is just one more step that we are taking to help ensure that vulnerabilities are addressed appropriately.

    Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

  • #179448

    Henry Brown
    Participant

    Additional information and commentary from Ms. Smith’s blog on Network World

    MSFT to developers: Fix Windows app security flaws in 180 days or be kicked from stores

    App developers have no more than 180 days to fix security flaws or Microsoft will kick the vulnerable app from the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. Microsoft’s new security policy for apps states:

    Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

    Microsoft new security policy for appsMicrosoft will apply the same policy to its own software. “I’ve never seen a vendor state that they’d pull their own applications, so that deserves kudos,” said Tyler Reguly, the manager of security research at Tripwire.

    Microsoft Security Response Center (MSRC) expects that developers will patch vulnerabilities faster than the allotted 180 days, adding that “no apps have come close to exceeding this deadline.”

You must be logged in to reply to this topic.