A little bit about the Security Update Validation Program

A little bit about the Security Update Validation Program

Late last week there was some confusion about the Security Update Validation program, and I wanted to take a minute to explain how the program works and our reasons behind implementing it. To start, the Security Update Validation Program (SUVP) was tested for about a year before we officially announced it in January. It’s a program that seeks to help ensure the quality of security updates, by testing these security updates in environments, configurations, and against applications that cannot be easily duplicated at Microsoft.  What that means is that Microsoft’s security updates are made available to a limited group of customers before the second Tuesday release who can test them in a lab environment covering a broad range of configurations. 

Once the updates are provided, the program members then test the updates in a controlled environment (not their entire network) according to our testing guidance and report back to us with any problems.  To protect the confidentiality of privately reported vulnerability information, the program participants are not given the vulnerability details or the security bulletin ahead of time.  They are given just the updates, minimally documented, so that they can provide feedback based on their deployment experience to help identify potential compatibility problems before the updates are released to the general public. 

People tend to get confused about the program, misinterpreting it as giving preferential treatment to a small group of customers. In actuality, nothing could be farther from the truth. The result of this program is simple; better updates. In fact as a result of this program combined with changes to Microsoft’s engineering process, we did not have to recall a single security update for quality reasons in 2004. That last stat demonstrates that the programs we’re putting into place are making a real difference for our customers’ security. Customers have told us to focus on update quality, and we’ve listened.  The SUVP is simply part of our larger effort to make sure customers can deploy updates with confidence.  

-Debby Fry Wilson

PS- Don’t forget to watch Security360, Mike Nash’s monthly webcast. Today’s episode is all about phishing, and you can register at www.microsoft.com/security360.



*This posting is provided “AS IS” with no warranties, and confers no rights.*