When the Microsoft Security Response Center (MSRC) decides to address a vulnerability with an update, MSRC begins to develop a security bulletin and other communications to broadcast the issue to customers.
Meanwhile, the affected product team works to create and test a software update to address the vulnerability.
Creating a Security Update
If the severity of a vulnerability warrants an update, the MSRC works with the appropriate product team to ensure the update is produced quickly and meets the MSRC quality bar.
MSRC also investigates additional ways that IT professionals and other customers can help protect themselves while they are evaluating the update. The MSRC engineering team investigates the surrounding code and design and searches for other variants of that threat that could affect customers.
Testing Security Updates Internally
MSRC will not release an update until it meets strict quality standards designed to ensure that the update will not interfere with software operation. As part of this commitment to security update quality, MSRC applies several levels of testing.
More than 100 people might be required to work for many weeks to test a substantial update. Each team performs a test pass, sometimes referred to as "depth testing," which covers affected code as well as any dependent or related areas of code.
Depth testing includes:
- Application compatibility testing
- Testing of the actual component that the update addresses
- Setup and install testing
- Other usage scenarios that might occur
The teams also review test cases they draw from other areas of code, and if necessary create new test cases to ensure the quality of a release. The teams then perform broader sets of tests that include deployment, detection, and partner testing, in which other teams and product groups at Microsoft test the update against their software.
Testing the Security Updates Externally
Before updates are made generally available, Microsoft provides security updates to a limited group of customers who can test them in a broad range of configurations and environments.
This practice, called the Security Update Validation Program, helps ensure the quality of security updates by testing these security updates in environments, in configurations, and against applications that Microsoft cannot easily duplicate. Participants provide feedback based on their deployment experience to help identify potential compatibility problems before the MSRC releases the updates to the public.
The program has reduced compatibility issues and has helped enhance the quality of security updates significantly, making it easier for customers to deploy updates more quickly.
Security Bulletins and Other Communications