Bluehat v3 first thoughts

Hi, I'm Brad Sarsfield (bradsa!); I’m the SQL guy here. One of the interesting things about me and my team is that I own the ‘slammer’ component in SQL Server, so by that very nature quite a large part of my job description is to ensure (and I quote) “that never … ever … happens again”.  So by default that makes me a SQL security guy and I work quite closely within the SQL Server security team.

In my adventures to fulfill my job description I’ve met a lot of brilliant database security researchers like David Litchfield, Kevin Dunn and Alexander Kornburst.  I’ve had conversations with these and other researchers that I really wish I could have shared with the 1000 of my SQL Server engineering colleagues.  So after a few of the “I wish everyone working on SQL Server could hear this right now!” moments I talked Kymberlee Price and Andrew Cushman into adding another day; thus we added another day focused on SQL, Data and Web application security.




The first day was a condensed set of talks to senior product leadership and executive types. The second day took a SQL, Data and Web application focus while the third day focused in on the Windows Platform. 

On the first day, putting around 40 highly technical senior level engineers, architects and executives in a room for a few hours with some of the top security researches in the world was an amazing sight, oh and we did it twice that day (March 8th).  It was open and honest discussion about problems specific to Microsoft technologies and also problems that affect our enitre industry.  Some of the speakers gave a condensed version of their talk during this session.

Everything was fair game.  Hearing senior executives say things like:  “I want the people responsible for those features in my office early next week; I want to get to the bottom of this” was at least one measure of success from my point of view for the event.  The speakers were quite impressed with the technical depth that our executives have.

Stay tuned as we bring more content online at the BlueHat technet site.

Brad Sarsfield

Microsoft SQL Server

Comments (2)

  1. scubajim says:


    While it is true that executives saying that is a measure of sucess (a fairly meaningless measure in this case) it is also an indication that they are clueless about their own product.  If they are really and truly surprised then they need to get out of their meetings and be aware of their company’s products and the market place.  If they weren’t really surprised then it is a very disingenous response.  (either way it doesn’t look that good.)

  2. The willingness for our executives to take an external point of view and not just acknowledges it but to also turn around and take immediate action to correct or fully understand a point seems like a positive. A few of the speakers commented to me on the level of deep technical knowledge that our product executive staff have; and their genuine concern for doing the right thing.  We also have to take into consideration the sheer scale of some of the products we develop. There are executives who have literally thousands of engineers and feature groups in their product lines. There were a few points during the executive sessions where we were all looking at assembly code.

    We’re trying quite genuinely to raise security awareness and responsibility at every level here at Microsoft.  A few of the talks were standing room only in our largest conference room that can hold 900 people.  Having engineers seeing the talks and understanding the threat vectors and how people are attacking their code is quite valuable.

    In the days since BlueHat ended, I’ve seen several new feature requests, bug reports and heard architectural discussions on how to move forward combating the current generation of security threats and also how to adapt to the next generation of threats.

    At the end of the day this had a positive effect on our people and products which in the end will help work towards the goal of securing the Microsoft platform.


Skip to main content