Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Claims Security Win with New Development Rules



 By: Ryan Naraine
2005-03-25
Article Rating:starstarstarstarstar / 2


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Redmond says its "Security Development Lifecycle" push has already reduced the number of serious vulnerabilities in Microsoft applications that touch the Internet.

Microsoft Corp.s application of a mandatory "Security Development Lifecycle" for all its Internet-facing products has "significantly reduced" the number—and severity—of security vulnerabilities, according to a white paper released by the software giant.

The 19-page document, titled The Trustworthy Computing Security Development Lifecycle, outlines the "cradle to grave" procedures used for software creation at Microsoft. According to senior executives, the new approach represents a major change in the way that software is designed, developed and tested.

Michael Howard, senior security program manager at Microsoft Corp. and one of the authors of the white paper, told eWEEK.com that the SDL is mandatory for about 90 percent of all products shipped. It covers four high-level principles covering every stage of software creation.

"Under the old structure, you wrote the code and then reviewed it for bugs. But that doesnt work anymore. You have to change your processes and techniques from cradle to grave to develop software that can withstand a malicious attack," Howard said.

Under the SDL, Howard said, Microsoft engineers now eat, sleep and breathe security at every stage. From the design stage through deployment, Howard said, the SDL mandates that the architecture is built to protect itself from the information it processes and to resist attacks.

"In the real world, software will not achieve perfect security, so designers should assume that security flaws would be present. To minimize the harm that occurs when attackers target these remaining flaws, softwares default state should promote security," Howard wrote in the white paper, which is coauthored by Steve Lipner, director of security engineering strategy in Microsofts Security Business Unit.

To read about Microsofts plans for network security in the Longhorn client, click here.

Resource Library:
"For example, software should run with the least necessary privilege, and services and features that are not widely needed should be disabled by default or accessible only to a small population of users," Howard wrote.

"This is absolutely mandatory. And the directive comes down from Bill Gates and Steve Ballmer. Thats one of the exciting things from a security perspective, weve got 1,000 percent buy-in from executives at the highest level," Howard said.

The SDL framework was first implemented in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3, and while Howard is careful to avoid making conclusive claims, he said the results are encouraging.

Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared to just 24 advisories in Windows Server 2003. The numbers are the same for pre- and post-SDL advisories for SQL Server 2000 and Exchange Server 2000.

Overall, security bulletins from Microsoft have decreased in recent years, dropping from 72 in 2002 to 51 in 2003 to 45 in 2004.

"The process is not perfect, and is still evolving," Howard said, noting that it was unlikely to reach perfection or to cease evolving in the foreseeable future. "Software developers are human beings. There will be mistakes and bugs will creep into the code. But with the SDL, its about putting systems in place to reduce those errors."

"We have seen an overall reduction in security vulnerabilities. And, more importantly, weve also seen a reduction in the severity of vulnerabilities that you miss when writing the code," he added.

A significant part of the SDL, Howard explained, is the education of software engineers. Generally, he said, developers lack the necessary training to design and develop secure software. Under those circumstances, Howard argues that a software company must take responsibility for educating staff.

"At Microsoft, all personnel involved in developing software must go through yearly security refresher training," he said. "Its absolutely mandatory for all the software development groups and we track it all the way up to the vice presidents. We make sure theyre all meeting the SDL requirements on education."

He said the ultimate test of the SDL is the extent to which it removes and mitigates vulnerabilities in Microsoft software. "Were meeting this test but we have to keep modifying too, because the security industry is evolving daily."

Howard said recent experience proved that security measures planned for or implemented in new software versions successfully blocked attacks that were effective against older versions.

Microsoft Windows XP Service Pack 2 also provided proof that the security changes that had been planned but not yet implemented or discussed publicly were found to eliminate a significant number of vulnerabilities reported against prior versions of Windows.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Claims Security Win with New Development Rules
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v㶒s{̎Sj^-c[ޖ9gi(S$7IVg2S7]hɗNgݫm @P( o^ȹ=&> :74ϸ3{?O@BFNtk ]UHѻzZn4 /o kGx)oފx&/hoTa@Y21$h(ͷtL|OkEs _Ķ^alM Lh:qF٨XCPjT/VKtP"{֝{2كS4gVko~w.UdEe*Gn0Tp;\ru=[qؼam a B'ߊFb}"@DeR)$^&64t<_MB^$9@JI?|%rP:(*RWK%j̮gF,, uGҾ췯;6鷏ώ;S$oIJ1<jUQ*H J zb!=ޙ7'7ϗ7˓MvIcCR5TY09 ;BV>;$OOWm2 Շ1 xS<œ qN {(-TKۗ9K2}xc-> , G!H,聞U|`nmdʰ(|Krn9];L~cE#䃃V7ib: )BdT_3;j\ }0쭑Ca)"8?ՃIpjaCGӪs6,Źw%,|YB*sJnPWȨYSNeIJ7EDqr4=.|YqI(G){?NIR^E6\lf>UKg<8z6wܬ.U$ԴXߙ-~ӒKsqnUŧvz߆)eF8 ,H.e޴$8WG9UGZ9UݣEʐTt K"& `J_T [ö@ .1RgVPP},|P4;ujx?SߧnΦjۉ!9* ڠN+/qK Tmb>'ݨpV83 U(z13 a > >FN9=H*}n9A%UǶCMߟLG`p&;hk - D+wc E#` V}R+?m:fQ(9N@4umMrA=S9jZд@ţ@E6n  DP=m"}Vxxo #A:Ez. Z DbQ TU\c%Vи%٩&7eM.&Dtl?Pa>"% m gxq~9ū#%ppo?IjZXGRr^*qVXf3ˆ5R)4khɁ3;q Sm`ꍖ>gt00n voOm[C9..V+ %.j$17,ylӅ~>EVVŐg E{ $$$Empn`{@L}}B{&cAjߛ,-0`7Y-7{iDqURQ#2Fi@L8y>.ԯLS4į5>LiRV54XFPTf1"E JѴ%%1O kō'J3c+4Cr|SM(dHw_/_QnH}gnLLͺ>vWojpl93@NQ͕G9h Qlri ט@Adūu#}Pe*Wty?Oﺬ(D?/(:%2RC|!\y)=+VgP֛WX[`MtgwvP4FUH1pNLG{+bJb֍*|z&viw',3%!k׌X;4vgf L BӀBD]Vڢt`ә3DoУAdz)`\E[oHNow\Mp?m+0$ŷk\RYTqEJ9.b(^f*kj0KYmrS5b drQTܴ(j*1nrh2jk./ 71טތsb9t[ 󩖃AC]Rp 3b/tEg]:~7e!zZiKg R5vLuYsXh;CXvIS$#Z SEڭ(+Y9M JVڳP1ݗS0Abe41y4)۾bZ7D_L7 xƅ;D&K $T)C؉M&Zt4eڧw~y0;on:'CRTVi/.:>;[:Ns;QA^+;,U.š ˓/\'xuйhoy(/ [hTD 1R^]Ru̦W{ᚕ O  usѺ~߹/vwϻ4Zw.B1~z0W#N/;/i Ga9>oC~OM>k0խhH!htgDRtܗI /3:VTzF[kɶ*7ϐahZ}m7ZgΊ#S_aY+,$"0~ I5cZg.$9l5@%+JFtzWOѩ`{my0 o|d zE/b)%Q\(둞hI{bDǠ"G0^ί[J㷒o˘IGD}_q-5sz4~&,\1Z9ntHd,OprlwzPayarf:~Ii%M\q} zsH&vD)f`;QxakM̉+^H#˹? [6@J5pk=L\6n'im.TK)5dJ)%SBt0RHqPU,O,'y=%lPPq)(KB)%)lbTH{oNwպ47<1ަmƙxzIuc!;rӥ2iv8(5~uNH>ڢG)'GHv䕤 g[ZgUHN~ԩ'h& x~@0EZ䐜B}vR>8 t;`ckv(ϴGNxR7Ć BC,q;Y ./lvqOmoIURCZщ}ɘS A0ngh;[R>uv&xl"6T@-wq/ K(]s;?~InL<<ʏePͰ?3KGݙ]L.I߾&O3 +%A=Iݩa# ^{.Jm(=}"[3jxu?2B./zv~ِ[2Tx)?Nuom'|Zؖ[qh*A#wc YdJ}vj'It% $YV JJ/ge1 \D)~VxF0M#}ݾJ4hAhfktOn oG!J. 06wK!_@>z~#Oa ]kd;/oӯ <v4..߮8)<A~A< v4*);7YؗF>[Fn3db܆~@zFjOXW+O2?Wc#ޚU>9d^˳%p>gsX#gqՈ,j8 f $U}X`ɤ.VQ'G\/ǯyGMݥoXfN_e< \d6`~Ht3"7AGgDx<_ oǘش|`a<+R<4sow3 =TAsHxX? @8Ja.<A 37A#7-8wdf~QT01#n kNžBM\rvRjfYgsV H#L]60=T+JI[{q4QY5DItytds/b$ *.0,3m0Xi҆ @*q5:eFqC7n*UYћgnP2V1~m19Y[2 ZLII˞^~#qKHq D) 'M01~ʵ\^$њg -`yC,q20RFOEFJjxgs4z|v2C@1ꋪex".82X, 0ɎVhrbp_~t_t(ztaK5 ":O &GxU"Ie ȗCH$7sӖ|)m_Qœ22/t/\P OgY6!l&!lfU>I˲o{4Q )U^*9%}Pd[Vu #5sfZ*˵ȒB'I$OxH8xBxZ̧OMt~s^^~M 8ug4Jz85 h&t"q&غJ*e1wz AtꡱEz=x-|=-Л`Eל+8KwBKePBV0pʮR,A@1Qj~XYz#BOʦV})s ZcO z5)`M- CG<Fult ~2Hi>K*4cԂƂ҄)5ߌߌߌߌ_ޘ]VjX^M{AiyzfwѺc]7jcT5-jSU Ɛs} jP^k~ez>!zqαޝBoifGk;z9Px#G(<ca}9?^ E <+'ݐLY .[`/ϳ))*OT_^z AgݐJ_hS~[&hh(~ E e"j>DWBDWZT2a ˹r el{DJԖinY`C:|:*I/$-0ǡ1R桓@ŰjE4RjCz1CԢ< @R ›*zC6akPu _#l 4|' >a)|(W|1P oZDDDDhkŃZk3ѮٯO A. xH#k! e:VuESF3{,^1;|ѪBZ?!/w=.v֭ܶėrdFbx/GeRg3?O؋_')l?FپU3s69U)$]U-OkB*[c/xB{u<- od1>0t`ϛp{uiŻ{c,$;6ЖTrnoM (:ߤ_u_eX@b,) ֈ {,JviYX JJfy%1'O'>4C- @&ph֢ F֒DJ)&W#}h8cEXR̭Lc} efK@7 J0M̉p =q~~yct6&9+AR)R^]FcGRn[t_dY@kYb"$oNw ۤ6;-r9 Dכ7 OQ4HcAilpe"0U5 *3φx9v{QFĉӿ8ؗھ`܀Jfx\sZLv u`qip ը4$UwL[-66]4!x|F/ 3Lcv:ErLjSxQl f0~Cu&.F[y;D'?pMdNt%w;m@01d'g{;"{sG@M5v|x24Ǎ@ BL |Z"iasu*<|*F}`tBBh7_+$e&:B{Da0֟q{C*{0cYNtuQgwF*9w 7%f0k~b|}R  #]z.R/+]Es)4?Ñ<ȩ,VFX*"V*Z KJH ]? j?X {9n8%$?؎7Uq5:MfiT1f^Ty5b;=G/4tAj-biAN2·Z.֘0h*B Y霴 xk5=]\UBJ ?=܏|^ԙn:ϫVDs="`U8?ZpՃ&.'hb zRKo;C'4DND] j߮2G&̟uQnNaDho_Վ ]#@A'TR07-lri;NRU D#'&E"%Mjj~JQ*˕JwH/>e;R}qrMJ$ZZ J2`6 ѣq\+/0lz(gzEkɽv=/=yJmճ tñFEL>LxxX bk?HYKAt9 c}_ w-؇ Zi\TGQ/87#zޞr6$|͑I#O3O. HuWknr9?S\mxN3b_aRmsΨ sct%#{3,jq,o.04&n99Sm6}axS T4 khވuX{Яϡgg㍨=-Nȵ(đ n$cܦbD+ .m2FwG#S3OLP$@%  ƈ16,6M$AdЃ5T?Ot^[!ʃR{V7>2<{VVl-\`pܶ KGyg%W0OFfmx[+}Y)p48zx9ڀkcjEl~0hTL6 ;6Rzވp;e# sZ 醶`Mi$b Ӊ"vFf.Bd05=!vgV\oz~}C @̝k`5?^80Bsx(T CӠ0G C9 ,d0W Hv»1Bs\vif+fڽ}gC&7L6:LXS0N[Ѿ'HEtcDTw.3ȏah 3Y}Qyxˤ  4>GH[~ףMNssX0! ^C.B'Q? $hTF$EhdH6Gb9L[ftFLN[ذ5c?:yO>v;W_j Y {(Ss3B@#(⯀4Q8&.H n$H)iPhP؞?0mȠ KL)asSapf ԩL\Vej s-8ԭ 6D> 0VY kػyС5NG$#ۛSg08Klݜ(8*SZ1It.CK/HFzFsƒڨIw'拈c$\c|EWo&Wr%Tk~HE6gpa)h,'/7 fwV3+Xı:Z+i+ 9Aɑ=} YwO|TB>'};ċ'rڽ&-rznއu^y?a]+|nUs'WN;e?<5(7z;*:ՕU&BY2 6SfT} {̤9,,% ywl"8lRO|?SoIk*5+(΁33_3ү!z}q (ޅnF:Rz} झ~ O?y NyY95;'оNF>ӹHw2s/ ?O?/RЌ_d_d^ds EF/>/2">G/3?fAYF? ~{1?s w1~]h7]? ͐/W@Wq2_\gO诟A_ >dGHѿtߛ o2ɠ\'2u S.ryA/ ȋU৬tXB]f@z|BGPn3Kkr>ubxvgY늮̌j7m(!9q}³2;3h oBce=Y$oq`CaRׂw>ZqZР^u~ !M?ڳiH,u4d8 ߜ:Ra7_a%ɠ1zi6MS] ԐUFWqPѰ؉v݁4DɹP))JIoR-W+w;5"\ıOs><cYeIjbo9Rʥ*D`q:EdxlD!*Ei䫔8IC@b${[ɚFo70!E#3&^Jm ^Hf, 2T/2{_A1B}$A)7Jb'c{8z5Ҕ%;әޑޤWfP!AhelI]*B똽z:4e:@@C50p9Khw ޠ{ԑ}z<8V?A+aL-ު4U] MD|ߢ6zO{ e2;[h@ն v3ffvj/A'r:>ه޳= Cuq9R"b‰5w (6-WZm;<o3-KX v;n/kja5! Rϛ yM$ >^ic>/u$Qb f$G1x_06cSVWb=LNWgG =-a^1 -^ ?y[6˅}[8 T g[=ǙېZݕMݎ:Si~*,x`F!n֔c…ad!sSOtx'(-35S&"l }_A>7u=vcI59DO&~4gI+}{O~ %$Ie`Q`8N 04 Φ%BfH*HĞP[ =6ὧVߜs78rm$рWL }+̑Rm5u;WdeFӹ"=ǚq3% >%f}1b+%/* 0Z< r(12ǃV붰p5oW2 33>F#qyU(p6d+;!SãS%Nob_⥷vT7eE&L1)Ž)+KpIФY7{4 Anv+YJ>= T@|ޭKlNԀf;a3Cp | ?,ڎNM[5lٸ SRLQPڶRCKA34 ԏkeh[b K"CZ2a 0TG7Y4s*>ܠK6A/)oKkm+n$(+nNv˧9Dg7>Vl4lmπ huC(DP"?hFq:hI W9:-| 0qMĦ2p2~62RWD )۱Ybd휙n'mrΦ(@0rē#<[^ҵ<oc5SW<2Yn0w6LK#]ZDc`Wpۂ{Di["ʥ.lSl̞=Ba҃𦇝X_X ($ LwEN!hU.nDoxS }JP]oXۂvScڜ˱i)uࠂׂ.V3Byeb xջS#z.FiA CaXqO]> @68 .ƇXW654exp1LXBL+ַ 9 tt*hH! E"*D0;'R:43h;[3THهl~H&/'с,Y[нJEB><&ahzBybSS2s+ؔĽYߊwfg@sO{̲jg +#_teǎskݧg{7ooJOO^#nFߥ/c+_ŁXLt3/OL༿ HưX ) SA(ڇxr!D# 묏 BLۃfJ b_-#?h[h*|]AY>s ]i6IB;/W7) h2b~{8..V+5yc 3V84:*@ϊuG{ -yv4 p̲( TRȲRh 2 8ŮkEml C5ɂk7XP7ftRGsFnRDq̱ɺas`i_)f9WMnTȨߣ%^;U1#;4~Oe Q¬|ʒ$wYpЯ7RV 532- "u'5jw. o8pa%¯4'CewTo %^QG?_gԴ+JWm~UX욨nK{&9X9G0>;*%UѦ'±JS_|57^FնCd KS=1A#zЖ]܄]*#˵ :*zl:48^E!Дb^Dk0RJED4J7y0pS>~py"-ѹ[V;Mo?EEWXx0x,ج@