Microsoft positions SDL as
best practice"> According to Microsoft, initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security. Lipner concedes the process is not perfectand is unlikely either to reach perfection or to cease evolving in the foreseeable futurebut he stresses the need for third-party developers to take a hard look at the SDL to find ways to implement some of the principles."We think the SDL is an industry-leading practice. It has driven security researchers to look elsewhere," Lipner added. With the SDL, software engineers eat, sleep and breathe security at every stage. From the design stage through deployment, the SDL mandates that the architecture is built to protect itself from the information it processes and to resist attacks. A key part of the SDL is an education element where software developers are trained and retrained constantly to ensure that security is on the front burner during the creation process. At Microsoft, all personnel involved in developing software must go through yearly "security refresher" training. Click here to read about security in Microsofts next OS release. Another element that Lipner is keen to highlight is the role of the MSRC, the Microsoft unit that receives vulnerability reports and responds to emergencies like worm and virus attacks. "People normally think that the MSRC gets involved if the SDL fails. But, we want to make it clear that the MSRC is a key part of the process. If a vulnerability is discovered, we effectively do a mini security push to make sure not only the vulnerability has been fixed, but also that we look at that area of code to ensure no other similar vulnerability remains. We dont want to be patching the same thing month after month," Lipner explained. "Every time we release a security update, we do a lessons learned document. We make sure we know where it came from and what introduced it. We try to figure out if we need to make any changes to the SDL process so we dont repeat same mistakes in future products," he added. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
He recommends that developers look into threat modeling, security testing techniques, a final security review before a product ships, and a security response process to deal with crises.