Microsoft intros security lab to test Azure vulnerabilities

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 07 Aug 2019

Microsoft has introduced the Azure Security Lab, a dedicated customer-safe cloud environment, for Azure research and collaboration.

Announced at the Black Hat USA 2019 conference this week, the Azure Security Lab is a set of dedicated cloud hosts, aimed at allowing security researchers to aggressively test attacks against infrastructure-as-a-service scenarios. It also allows participants to identify research vulnerabilities in Azure and do their best to emulate criminal hackers.

In addition to offering a secure testing space, the lab programme will enable participating security researchers to engage directly with Microsoft Azure security experts, according to the tech giant.

While Microsoft already has a bug bounty programme, the company says the isolation of the Azure Security Lab allows it to offer something new: “Researchers will not only research vulnerabilities in Azure, they can also attempt to exploit them.”

Applications to join the Azure Security Lab are open, with Microsoft offering researchers up to $300 000 if they can hack its Azure public-cloud infrastructure.

“Microsoft is committed to ensuring our cloud is secure from modern threats. We built Azure with security in mind from the beginning, and work to help customers secure their Azure cloud environment with various solutions,” says Kymberlee Price, principal security PM manager of Microsoft Security Response Centre’s community and partner engagement programmes.

“Partnerships are core to our security strategy, and one of our key partners is the global community of security researchers. By identifying and reporting vulnerabilities to Microsoft, security researchers have repeatedly demonstrated that working together helps protect customers.”

Microsoft says it has issued $4.4 million-worth of bounty rewards over the past 12 months, in appreciation of researchers’ efforts and the opportunity to mitigate issues before they are publicly known and used for harm.

In January, the company launched a new bug bounty programme designed to identify vulnerabilities in Azure DevOps, with top rewards of up to $20 000.

With the new Azure Security Lab, Microsoft promises to double its bug bounty rewards for researchers who discover Azure vulnerabilities.

This week, Microsoft also put in place its safe harbour terms and conditions, outlining how researchers, who are acting in good faith, can report bugs without facing legal repercussions.

“We appreciate our security partners across the industry, and believe the new programmes we’re announcing today will help further protect the Azure ecosystem,” notes Price.

Applications to join the Azure Security Lab opened this week. To request a Windows or Linux virtual machine, applicants can apply here.