In light of continuing and progressively more pernicious security threats heading into the application stack, Microsoft is evolving its Security Development Lifecycle and providing services, support and tools around it to help enterprises build more secure applications starting at the design and development phase.
Steve Lipner, Microsoft’s senior director of security engineering strategy, said the SDL is a software security assurance process that has helped to embed security and privacy in Microsoft software and culture. The SDL is Microsoft’s software security assurance process, which has been a Microsoft-wide initiative and a mandatory policy since 2004, And the SDL has led Microsoft to security improvements in flagship products such as Windows Vista and SQL Server.
Lipner said as part of its commitment to supporting a more secure and trustworthy computing ecosystem, Microsoft is making SDL process guidance, tools and training available for every developer. So Microsoft is sharing its SDL concepts with ISVs (independent software vendors), partners and customers with the objective of improving the security and privacy of the entire computing ecosystem. One way Microsoft plans to do this is through its new SDL Optimization Model. And the company also is finalizing a new SDL partner program and a threat modeling tool, all of which will be released in November.
“Enterprises aren’t really focusing on security during development,” Lipner told eWEEK. “So what we want to do is push that consideration of security back into development. Fixing bugs and problems is a lot easier to do in development than it is after a product is completed.”
So Microsoft is providing its SDL Optimization Model to enterprises. “The SDL Optimization Model is a maturity model to let organizations self-assess how they are doing with security practices,” Lipner said. “It gives you a way to look at what you’re doing and think about what you might be doing next.”
The Microsoft SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. The SDL Optimization Model shows an organization’s security at one of four levels: Basic, Standardized, Advanced or Dynamic. At the basic level, security is reactive; at the standardized level, security is proactive; at the advanced level, security is integrated; and at the dynamic level, security is specialized.
Moreover, to aid in adoption, the Microsoft SDL Optimization Model is grouped into five capability areas that help assist with budgeting, planning and staffing efforts associated with software development. These areas are: Training, policy and organizational capabilities; requirements and design; implementation; verification; and release and response.
A Network of Expertise
Meanwhile, to address the challenge of software security threats moving up the stack and into the application layer, Microsoft has created the SDL Pro Network, which combines guidance and SDL best practices with the expertise of other service providers.
The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL, Lipner said.
Services provided by the SDL Pro Network will include training, policy and organizational capabilities, including security training; requirements and design, including risk analysis, functional requirements and threat modeling; implementation work, including use of safe APIs, code analysis and code review; and verification, including fuzzing and Web application scanning.
Initial members of the SDL Pro Network include Cigital Inc., IOActive Inc., iSEC Partners Inc., Leviathan Security Group Inc., Next Generation Security Software Ltd. (NGS), n.runs AG, Security Innovation Inc., Security University Inc., and Verizon Business, Lipner said. “It is a network of security services providers we’ve worked with and who we can recommend,” he said.
Brian Mizelle, Managing Principal and SDL Practice Manager, Cigital, said:
““We see Microsoft’s launch of the SDL Pro Network as a way to take our best of breed experiences to work collaboratively with other security professionals to develop consistent service offering around SDL. Regardless of the different methodologies in play we all share the common goal of educating and delivering services that protect our clients’ assets and good name through better software security. Any initiative that promotes that ideal is a continued step in the right direction.”“
For his part, Jan Muenther, CTO Security, n.runs AG, said:
““What makes the SDL so valuable is the comprehensive approach. While too often security nowadays is taken into consideration too late into a project, adhering to the SDL brings security aspects into all phases of a software project, from the early design stage to deployment and maintenance. The cool thing here is – it actually works. We have seen this with the clients where we conducted security trainings for the developers. The percentage of ‘classical’ security flaws found in the subsequent security reviews has decreased drastically. Security is always significantly harder and more expensive to retrofit into an application than when it is brought to the table at an early stage of a project. Sticking to the procedures the SDL describes can help prevent frustrating, expensive and time consuming ‘back to the black board’ situations.”“
Kev Dunn, principal consultant and technical account manager at NGS, said NGS has been providing security advice to Microsoft for about five years. According to Dunn, Microsoft’s SDL “represents a balanced and sensible approach to slipstreaming security into the software development lifecycle.”
The SDL introduces stringent security requirements for the use of technologies at the design and implementation phases of a project, ensuring that insecure or inappropriate methods cannot be used, and it sets high quality bars for the testing of software from the security and privacy standpoint, he said. The SDL also provides an invaluable guide for software developers when trying to set a minimum security development policy for their organization and offers a toolkit for implementing this standard without disrupting the core business of producing quality software applications, Dunn added.
In addition, Dunn said of the SDL:
““The core elements of Microsoft’s SDL are some of the core elements of NGS’s security consultancy practice. When working with companies that have a software security requirement, including Microsoft themselves, NGS use a combination of training, product analysis and security assessment to highlight security weaknesses and strengthen a product offering. Threat modeling, fuzz testing and code review are all leveraged when analyzing the security footprint of software; used correctly in combination with SDL minimum standards, these activities will steer a development team away from poor design and implementation choices and will reveal existing security holes in a current product.”“
Meanwhile, Microsoft also is releasing a new threat modeling tool, the SDL Threat Modeling Tool 3.0.
Adam Shostack, senior program manager for SDL at Microsoft, said the new Microsoft SDL Threat Modeling Tool 3.0 makes threat modeling easier for non-security experts by providing guidance on creating the threat models and analyzing them. In addition, the tool integrates with bug-tracking systems, thereby integrating the threat modeling process into the standard development process. This integration makes it easier for developers to think of security vulnerabilities as bugs and mitigations as features. Shostack said development teams are familiar with features and bugs so they will relate to the tool.
“We’ve been using the tool internally since last June,” Shostack said.