[German]Since there are always serious issues with Microsoft's security updates, a 'Security Update Validation Program' (SUVP) has been (re-)announced. Some information and thoughts about it.
Advertising
Microsoft's announcement
On October 22, 2018, Microsoft employee Dawn Thomas published the article What is the Security Update Validation Program? at Tech Community with the new announcement.
The Security Update Validation Program (SUVP) is a quality assurance testing program for Microsoft security updates, which are released on the second Tuesday of each month. The SUVP provides early access to Microsoft security updates—up to three weeks in advance of the official release—for the purpose of validation and interoperability testing. The program encompasses any Microsoft products for which we fix a vulnerability (e.g. Windows, Office, Exchange, or SQL Server) and is limited to trusted customers under NDA who have been nominated by a Microsoft representative.
However, the program is only opened to trusted customers who sign a confidentiality agreement (NDA). The people are proposed by Microsoft representatives.
The goal of the SUVP
The Microsoft article reads wonderfully what you want to achieve with the program. The purpose of the SUVP is to validate Microsoft security updates using the participants' own test environments and infrastructures. This should include testing with industry, third-party and in-house applications.
Problems found prior to the general release of the security updates should be quickly forwarded via the SUVP directly to the product teams and product managers or engineers involved in the creation of the update. The hope is that this will enable rapid root cause analysis (RCA) and remediation. Ideal goal: The corrections made can be quickly validated with the reporting partner.
To protect the confidentiality of privately reported vulnerability information, SUVP participants do not receive vulnerability details and may not reverse engineer updates or otherwise verify the effectiveness of security measures implemented. Microsoft promises:
Advertising
The benefit of participating in the SUVP program is the ability to identify issues that would impact your business before Microsoft releases large-scale security updates. Once the issues are identified, they are quickly tested and resolved as far as possible. This in turn allows you to keep your Windows production machines (or those of your customers) safe and up to date every month, without worrying about regressions in functionality.
Anyone who has gotten really hot for the SUVP can be nominated through their Microsoft representative. The program requires participants to sign an SUVP contract and have an active Azure Active Directory (Azure AD) tenant to enable content distribution via Microsoft Collaborate.
My two cents
To me it sounds like an employment program for administrators who have nothing to do all day. Just for the record, we have monthly preview rollup updates that Microsoft provides to people. According to my observations, people usually don't install these preview updates (who likes to be a guinea pig) because it's simply too time-consuming.
And we have an insider program for Windows as well as for Microsoft Office. But the thick bucks only become known after the official rollout of updates – after many users have installed the updates. So if these programs – at least in my eyes – don't work and obviously fail, what's the point of an SUVP? At Woody Leonhard, where I found the hint, you can find the comment:
Sounds really good on paper. Actually, it sounds like an old-fashioned beta test team consisting of corporate volunteers. I guess it's cheaper than hiring testers. I wonder how it will work in the cold reality?
Susan Bradley wrote, that this is an old program which is now being extended. She has probably also demanded this expansion – apparently there is really interest from administrators in something like this. In the forum of askwoody I found hints that this is an ancient Microsoft program, which should now address new IT admin groups. In the askwoody forum thread the skepticism prevails. What is your opinion? Does that make sense and do you as administrators in companies have time for something like that? Or are there other beta testers who can't find anything anyway?
These aren't the same as the non security preview updates. This would be testing the actual security updates. If us good guys work to patch faster isn't that a good thing?
@Susan: Thx for your hint. From what I hear here from admins is, that they (mostly) haven't the time/capacity, to run additional preview tests. And SUVP is obviously limited to 'trusted' customers, who are willing, to invest the capacity to run these tests.
So I feat it seems to be an chicken egg problem. But maybe I'm wrong – we will see the results in near future ;-).