Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft: Software Security Trendsetter?



 By: Ryan Naraine
2005-09-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Microsoft: Software Security Trendsetter?
  2. ' Microsoft positions SDL as '

Rate This Article:
Poor Best
Microsoft: Software Security Trendsetter?
( Page 1 of 2 )

Company is sharing an internal blueprint that it uses to reduce security flaws in Internet-facing applications. Will the industry accept Microsoft as a security leader?Buoyed by the success of an internal blueprint used to cut down on security vulnerabilities in Internet-facing software products, Microsoft Corp. is preaching the "Security Development Lifecycle" to partners and third-party developers.

The SDL, a collection of high-level principles and procedures covering every stage of software creation at Microsoft, was the topic du jour at a security symposium at last weeks Professional Developers Conference, where Redmond shared insider tips and best practices to guide the "cradle to grave" software process.

"We think we have our act together in terms of having a well-documented process to create software to withstand malicious attack. Now were starting to talk to customers about what it is and what it can mean for them," said Steve Lipner, director of security engineering strategy at Microsoft.

Lipner, who led the PDC discussions, said the mandatory implementation of the SDL at Redmond has been a spectacular success, borne out by the fact that hackers are not finding many critical security flaws in products that have been meticulously engineered and rigorously tested.

Resource Library:

"As we start to apply these practices [at Microsoft] to improve security, the attackers are going to look elsewhere," Lipner said in an interview with Ziff Davis Internet News. "The people who find vulnerabilities are going to go up the stack. Thats why its important for us to share our experiences with outside companies.

Click here to read more about SDL.

"The attackers will start looking at end-user organizations, Web sites and ISV applications. We want the rest of the industry to be ready when those attacks happen," he added.

To many, the image of Microsoft as a security trend-setter is the ultimate irony. High-profile worm attacks and the slow approach to patching known vulnerabilities has helped to feed the public perception of Microsoft as having a lax approach to security.

Lipner shrugs those concerns aside. "Im aware of the perception. I used to work in the MSRC (Microsoft Security Response Center). I took the vulnerability calls back in those days. Theres no such thing as perfection. There are technical reasons why it isnt practical to expect perfection in software. But, if you look at the improvements weve made and continue to make, I think we can hold our heads up high," said Lipner, who co-wrote Microsofts 19-page white paper on the SDL and its benefits.

"Were not here [at PDC] talking about security from a perspective of arrogance. Its more along the lines of us being honest and sharing what weve learned from the SDL to help customers."

Click here to read about Microsofts Security Response Center.

"The days of people questioning are pretty much behind us. Customers and developers are willing to give us a hearing," Lipner declared.

And, he insists, the statistics back up the companys claims. Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared to just 24 advisories in Windows Server 2003, a product that was engineered under the SDLs strict procedures.

Next Page: Microsoft positions SDL as best practice.





  Reader Comments: Microsoft: Software Security Trendsetter?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr80VӮc]mT![rYST婎PP$$M8NK3n&t%U>[.["2H$Iȅ3&ל۔O]sSãw$~]2I-*rdz&j9%G jL7R}f]S p ׫LNშ 'UGЖL55Κ}ٚc86h2 X-$(Nմ,lZ P8"X.( fwm<&a}# $aTT{>o9{ۖ3p)sgyÝ5j.ir]ϯr$(֝[pmKIu]+h0u=;yXc 8 d}+5UJ`Z. $0^:^gv{jtkzSҏz-[MюR=6,gfV҈ gUUYNڭ~S~6.vEv ;l,aR422V,]YFȏwAy|qӾlvoz{MVY;i OɷV܌xSQ.:aZ+UCIͽGf=jI>\OIN©,7M~tǷP[,.s$BrZ~@X*6 2ofu tA[&%0ɔSH  :99~mM!U:`O7SIs뮖;nZK}0[-RF&\ ДaC\ش 1"%hJ@{e $}ВEtBAͨ8 .)J!"xN3̸!ȅQ.%uĆ> jyb)56'4}t>჎$1hƋCr[nL,rӇ 4@.~{ݣn]?'tnYXŞ+LRVi`I l"a&q}s)к`y&na10B?FlnP>X^0jp3*qs=>o  ߃5#j閭-L<ģܠ>̨(q9-R&;C/1tS 5mUAJ  |͏U=b$`~f =DyBfOx7;rkkF+UʝWRy'g|)WNyքc$C ֳ6_2˧L)Esr6:w'ѫU?z~MkCT8@r6ҁveZZ @-ĿUi ma76X5oQ׆V(&,)T 6šiYl`cytE9ʆɨa0ہ5s7\PeȔmyt}4EkaZ,<>疭p6X"@@wM)mT.mT^͇gϧީ;i6E7{LM|tf:s?نdpg׏Ф0W2PaBSfg`}1J2躢΍ X:X<~o™5z1|*j0&B$W(^x}xN`'\sW&LJ}OYвNzu6$\]Pr)SLz06AaeL䱯Yt@FM@X G\d`АBrAa T+S//' 7Ca@.6~Î?DNQcG=<.C+DÜU^oVw.$JPVbrxC+jr\T+ qv$A~~ć8 iF @rFW}}150?Sc`9gr87`3|x+}Km˰p c.Z$ c`7._kOWbL['ʂX hO7`sk'k0MCV0! H*h6І{egjڳP twPJ v|~KFhI[dXEλԲ'**5P6>*0N枏~+kF$؃S F1j>L}\SaWݬ`B[$ zDÈ i{<qŁZ ZYMf~q?܎3XAm†9+:sD ü8 z30Jјlwl^Qm(}< *Woᔻ,pgSk),rljqc0:g<}'YQBn;Jr fĀy@?uUJ _2LdT~#\yRflzg]a/&9Se>e'ß~TScZo!UlZGOLD7n3/ DVێI9dYb:1Ki>C?9dI }3 ] sV> ׯ|咭|j嬕Vwrʣ: ߀&?\@qccAH.owBOHGX~ǍpXkǭN:@"7Aqd.s_wf=]~oLgƩ4>ʀkG2gdQhVz 4`ex..3 ac>q/~h)TGEؾqkX c=O f+(U|ly5}&QrMuE l&ŏh(UrmVՏC>QjQy`*+ZR<*6 ZlmL l኷q@Kτkox~E 6-2j=kR>,ҕKOe3q18@أ=x}d6 5C+jBgEr`3O?-$NV}m4uH"5Hq+$X˴I>NatA*¾G̗vSfn Ϛ_ qΟӚr`>hJj$7rQӊ5JR'0X 8~AbQ=Y rvjT dPZxO~|+tSZ‚'T'.\'+cI`1Eq8x 21/ȟ-1Ή{է}VU'&/(0h_@m໶$\/@v#{?Jb䏽n)h{ٗŗ#|DŽaa=&~"`}f{Y\·]`1*/1]OMi|hi\}dzLR(1I]2|r̡qWf}Am᳋Y?`yAѰIvNCR|I{ѽoeKJ:^;OzO1Of4~ɮP6=8Y,lrl%׸vRt/0?xԾhj?&i^3_; jE5pXISB9kթ-HӖO|BQ8pJj8DQ28Ic6uYXMxIS:%ə$E=)*چIդ28I5F4A2 uIH? Md4XPWl Pق'59ݻ<//iw>76"@u\e0 `qo6.…@P V QגZ4\һoeW!7?|Sr'Tzo3)Wy^={oOwXyq?go ~8qEt2Ti 'sؾr=huӅ[ey%sm#Ƅ{`sk@לO(pE1|&tG(ЪEk24aϝUjkӮ< #sCӝꖃ(&HK.}Ҹ跮IK09iJs ZBwGL|5zÿ§ ' :r;kgϜtGo;vkm,da3fo$׾v/=w~Z:w[q*A-wCOl/t:D(jy[agwCWȪ̅S.{ۋ }L9zg 1@7Yud3D?ye919gnR;-zc1-?_gpKw zK[imD)]K5"v%ًKqɧyeYj ȓGDK`#i>R?{k!bi4W;Tf{s̷kD>dO#@/lFɢm|62/> AYCXؙqbLpx2F'F[e w+[SgSc;/HF#%gOS˱6mG @|א ;ar*|b ܭ<U Wo[1΢$g |o(o'򽥎xk5ZKW𯹄;L_lZS| \(.AӞ <ߌ ZГqk+B<ыO\m1j-X}O|{2 Za72ϦΒYfRRKDI-[bM/])DM"B s76DxB]-hg W0'Ư-ŇJ `1 5ן[ӨGe/^vP/YԵAEx=|ұ)ŷ6V"I~!MO{mq.˧G/C9"&O.n"#\SzD13b.<׳̚zٮHдV<ԘR !]r{YzpYi0%mu?> [c21b7)&#K.w2g@S^g )KCӴ0 Iro: Wf{,&,=˰dgY]htD T gt$ikNS Ld-̓#aC(P+aV8j9ϭ֙vV#tpE#C0)ǯ^`u #'IB:0 xtǟT:%9ՊVe!bVA?"t $t'Lՙ0Xj y u{RX]*AY *D f!<3!3xۋ2I |.-B2z}O`m٪luMy6IM:u]cL$zDC¥u$P=TC%0,!.H g%4 Vޖ׊/kfH HcdˋTd>BxXja@Ig*qJ<9TY]F'B &"1 (B >u0f+јIؘƯ6#.q?^g'fHJQRmc`쵿VsT nIjl0ai]0x;nYv뵲ȵrONv]ZzѾ~ |kJ+azlő  fy^e?UzuwbTAmb~S[opppp W+pc}kwDz?poUmI~1ʳnijZΔ5e^?<ᙝ%,YWc~aA.:JY_P.?&I$$$${N2PU$^ !!זK,^l'.V  !ı FP?q5-B? J7Igl^b͓-Vվ+Z:NsLug<:7bkIv$!{ hdpOsE( /yj4#\FQȶfZ,[z'֫' )"\ߡ;LJW,F2FD^Ǣ 1?Z[;})}7^TE,FVFF~wD52 zFF_RA"|6E prr^_ݱQ lw*g'%?[^(ozΠgL?~DRN_|Ϩ\'5Nsa`*t">ݘeu{ҠBGҚC-`d;1Í5㵙vm@˽=^tImY{`8ËLJf01{tѕ\VoJYb'VCleObr,CӺ^ z( lR$I3ƹ'}_bET2̭-7dn5lVZ^䵈h<ONp`]gS`4ε7 ygl]"ҶF͟xT_?8[27̫)c꿓$yg1n9VJ,S"&pP]?zUccc^]aL槺Lz6ⵏ~GeS`ٿggFvxh#T_cZPh lόc[?Cb$J_n kza3 ΰ.$o,Sͦ 0i:6M_׻͟ђz@~RJq/ddMgNp^x G),E| q+xaQ)5.Ov[cx$݄!c\vsƏ{"(#=tATh6#,^q Iab!vM4#|ȮHA26HA\ۦǽ7hNsEJN(a~4>(C^PB^]’{v]=1Imr9ꚚrMUk @fa %bl\M'p.$XD ` $yuQ%"e3)Mu{0]2ΩTl,ZNxkRȥƘc.ZE9TK.}K@*+N+xܥtW L iok"r\IoA$ΨPVѭG UP+$4h9^HQu8nGgüG;b~ \z^GFJ;w^"6]^q=!o7ݝAVnVu&ңC[wn׹#On@ O&p'찔?103l,ˉ_""A^~ lMZk')3"[Gmt{HTaU*e9 JI-dzy=0#_/]YjJEU0=j2;c ߍ04J5r7duȄ`z%Ed#usK%XSt^0^ H1Z'}kJ%:X.6鳏ji' 1 m&0=8~xfl;|w\ۭ5LQ:]L= ,/71|.%5&o[I{e>9biӹ]I0WD ]%FR)Ot)@8W'b^n90؞b-,9+[d_a=%U$d[j4K$<{7H tAuGw,@8_E"ͨaTJ[ J}z%rc[q{Zak4u4Ӆ_~Y3ZNHh״ J;Y]~_!Ƅ7)<1W<00t+P̲jNT]OpY=CE3 L w>QHUljd}mxxJ" rK͒Ӥ:&ݙyK ]Сr@JoIg/t4|x}A6ژykiF$٠cMr'\Ix##ܔk3`vs uǤZ̈́pxҚ ,;YC) Q?\y1")(ĴF#1C4 ic6/{1u z!cZ|"GX#&3(9k_~ :* $U,%O3 "PV: 9C(^bI ͍$\}~69 l :La`t.t?OgA~2jt:& 2Ll{;Λ}=AG,G~61=` ?v^.qtsx\jJ߄(VIB uXRFB(s-8R$c 36þ~6 _F`p3W VjE)OBӁRk]j)<>}Ag UFoi VH+^@0w4tܽ@#b`nڟ` WW_Y4uEzNz~{INZ| Z3pxԝsm~9^}9k_ۗ\1(B_e_T 3',C rv贘28SΘksYx9% E*whs\ȜHǣWɴVی |.y|e8Ntw<1 }Qf1.? vt{ U K \<rx$>| #rӚCg>'[_5}MoMg:SN?,R+|c ,>(Nh8kjzrjhN4pݣ97فn C\ԴZjRs?'Hd!8 "2fDdU*.R0X\^9Q(Nwo*K0njy=!J1 =tc֭dO1BH"׏ ѱ7:fMW1fdy7K%p8cokx;b(q ?,(sT[Fl\BCVw,v+r{]OڸAÆ߄^Vٍv"n<4Nwz:d@4ǝaƹrV0@z4}z|qn9Sųl1AЩ>7gB΄[6п#ds%(ML _p(}d( 5t0=_2nu¶'6*F'6!mh#׫Erly0gKlgXSoX70( 8[]^Ṁ~Kܻ-޿' " n+;M[Y zn V\ZkR0A<^J Ӯ(6EwE>qX|5h_cd9Mk+͘P|_'07:%;Yq<y9uT_+wa(A'oTG|O0.˳Nm(b uCݍ;S'/Ձ&;_M۴|vsvGԡ:-B-?\vixF26XQS&b5b P|_|a9vIw 6{Nz ̄0Q?~?K+_yl JIأ_BDOv&nA9/{uv 4`/oy^EltΖbo*_HQ۝aNm% n)%&oNkv1Zb9?v"ㅰxo!Z^y|TLlsD?>K:[S1U)֒_6/gwǁ;y?sԷeEQ&PL;tWێV*iů Kw? oX)u'|oȯ)0Py4w<p2I>0a9iwsD: DePޙ!/;cSF)f'NFp)N|sEzV?ĵ 3 MX|w^ة;Oq^'d9e7cx'ěc :۳+~"3v[vo.d|cρ!XwCQ%7` =[-Hˍt/Asl2qcZ[ +"ۂ Km˴6uW¥":UXJM X,8/ m9Qh~r"#<[_ڵ<ok3)+o[wt-(5x2;n6m˟~HױI5"`:Vڕ+zYL20cwϏp`2[]g4^5϶p2$82#" $8zIW6{{a0&iE㨤t`C v_ʉqph;?҈Y>A wvǰ.XF!&ۅ7O80Ux|-h\s;X\e,8LgѼ3E~1zxX0U9wm j7WhȀ7H>Y;XD,5R7tP9˓z0s͹!׆) a+cPOYjcL1GfY{ LWGGSy6;|,ݐbVS"Nd׊rI-9=O9.*LX6c?tf ŷ@˽ŵ]^g*a?|GK-^P?Q> χ"@LNENE<<Kf}')VS,_Xџ_,P>q*g\`