If you keep an eye on security issues, and as a DBA you should, then you know that there's an ongoing debate on disclosure. Some people want all security issues disclosed as soon as possible and others argue vendors should be made aware and the issues not released until a patch is available. I'm kind of in the middle here. I see both arguments and think that we should know about them as soon as we can, but vendors should get some time to patch. I'm kind of a "give them a month" guy, thinking that if it cannot be patched in that time that perhaps we are better off knowing there's an issue.
Recently Microsoft held it's 3rd Blue Hat Security Conference where they bring a bunch of security researchers or hackers to Redmond and put them together with developers, engineers, executives, etc. and talk about what is wrong with Microsoft products relating to security. It's a great idea and from the feedback I've heard from MS employees, it has really helped them to better understand the problems with how the products have evolved. And it shows that Microsoft is working on security. They're not there yet, but getting better all the time and it's a bold move inviting people to come tell your employees where they are making mistakes.
The specific items from the previous conferences haven't been widely released, but supposedly more information will be let out this time. And as it seems happens with everything these days, a blog has been started. It's the BlueHat Security Briefings blog and it was nice to see one of the first few entries from a SQL Server guy.
Time will tell how much gets out, but I think this is one of the best things for Microsoft security that they have done. It really shows a commitment to making things better. Now if they can just get the fixed for the issues incorporated into products by the engineers.
And keep the marketing people at arms length.
Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com