Other Companies Adopt Microsofts Security Practices

By Fahmida Y. Rashid  |  Posted 2012-01-14 Print this article Print


The Security Development Lifecycle is a mandatory policy for all Microsoft software that ensures the teams are designing, building and testing more secure products, and supporting third-party vendors and the public to warn about vulnerabilities and resolving issues. Microsoft introduced in-depth defenses, such as address space layout randomization and data execution prevention, in its products, and added security features to guard against stack-overflow errors.

Many companies, including Adobe and Cisco, have adapted Security Development Lifecycle to beef up their own internal security objectives. Adobe has been working hard to "transform itself into the next poster child for security," Ron Gula, CEO and CTO of Tenable Network Security, told eWEEK.

The company also focused on privacy in its products, publishing privacy standards for developers and providing consumers with layered privacy notices. Privacy will continue to be an "evolving and ongoing effort," especially as cloud computing and the increasingly connected society creates "vast amounts of data," David Burt, senior communications manager for Privacy & Safety Policy, wrote on theMicrosoft Privacy and Safety blog. Microsoft will continue to protect people's privacy, Burt said.

"We're proud of what we've achieved and of the many innovations that have become accepted as industry best practices. But it would be wrong to congratulate ourselves on a job well done," Hall said, adding, "There is still a lot on the road ahead."

Microsoft's security efforts have made it harder for attackers to compromise the operating system, Gula said. The regular updates, security innovations such as address space layout randomization and data execution prevention, and the increased use of sandboxing, have increased the amount of time and effort attackers have to expend in their campaigns, Gula said.

Many of the attacks have shifted focus, targeting Web applications because those are not built with security in mind, Gula said. While browser companies are innovating and stumbling over each other in their effort to roll out the next-best security features, the applications themselves generally aren't built by developers with a security mindset, he said.

Microsoft will focus on the "PC-plus era," such as mobile devices and cloud computing, and the role of governments in computing in "TwC Next," the next 10 years of TwC, said Scott Charney, corporate vice president of Trustworthy Computing. Security, privacy and reliability strategies must evolve to "remain potent," Charney said, noting there was "still much work" that needed to be done to make computing "more trustworthy.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel