Microsoft: Software Security Trendsetter?

Company is sharing an internal blueprint that it uses to reduce security flaws in Internet-facing applications. Will the industry accept Microsoft as a security leader?

Buoyed by the success of an internal blueprint used to cut down on security vulnerabilities in Internet-facing software products, Microsoft Corp. is preaching the "Security Development Lifecycle" to partners and third-party developers.

The SDL, a collection of high-level principles and procedures covering every stage of software creation at Microsoft, was the topic du jour at a security symposium at last weeks Professional Developers Conference, where Redmond shared insider tips and best practices to guide the "cradle to grave" software process.

"We think we have our act together in terms of having a well-documented process to create software to withstand malicious attack. Now were starting to talk to customers about what it is and what it can mean for them," said Steve Lipner, director of security engineering strategy at Microsoft.

Lipner, who led the PDC discussions, said the mandatory implementation of the SDL at Redmond has been a spectacular success, borne out by the fact that hackers are not finding many critical security flaws in products that have been meticulously engineered and rigorously tested.

"As we start to apply these practices [at Microsoft] to improve security, the attackers are going to look elsewhere," Lipner said in an interview with Ziff Davis Internet News. "The people who find vulnerabilities are going to go up the stack. Thats why its important for us to share our experiences with outside companies.

/zimages/5/28571.gifClick here to read more about SDL.

"The attackers will start looking at end-user organizations, Web sites and ISV applications. We want the rest of the industry to be ready when those attacks happen," he added.

To many, the image of Microsoft as a security trend-setter is the ultimate irony. High-profile worm attacks and the slow approach to patching known vulnerabilities has helped to feed the public perception of Microsoft as having a lax approach to security.

Lipner shrugs those concerns aside. "Im aware of the perception. I used to work in the MSRC (Microsoft Security Response Center). I took the vulnerability calls back in those days. Theres no such thing as perfection. There are technical reasons why it isnt practical to expect perfection in software. But, if you look at the improvements weve made and continue to make, I think we can hold our heads up high," said Lipner, who co-wrote Microsofts 19-page white paper on the SDL and its benefits.

"Were not here [at PDC] talking about security from a perspective of arrogance. Its more along the lines of us being honest and sharing what weve learned from the SDL to help customers."

/zimages/5/28571.gifClick here to read about Microsofts Security Response Center.

"The days of people questioning are pretty much behind us. Customers and developers are willing to give us a hearing," Lipner declared.

And, he insists, the statistics back up the companys claims. Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared to just 24 advisories in Windows Server 2003, a product that was engineered under the SDLs strict procedures.

Next Page: Microsoft positions SDL as best practice.