Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development

    Microsoft: Software Security Trendsetter?

    By
    Ryan Naraine
    -
    September 19, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Buoyed by the success of an internal blueprint used to cut down on security vulnerabilities in Internet-facing software products, Microsoft Corp. is preaching the “Security Development Lifecycle” to partners and third-party developers.

      The SDL, a collection of high-level principles and procedures covering every stage of software creation at Microsoft, was the topic du jour at a security symposium at last weeks Professional Developers Conference, where Redmond shared insider tips and best practices to guide the “cradle to grave” software process.

      “We think we have our act together in terms of having a well-documented process to create software to withstand malicious attack. Now were starting to talk to customers about what it is and what it can mean for them,” said Steve Lipner, director of security engineering strategy at Microsoft.

      Lipner, who led the PDC discussions, said the mandatory implementation of the SDL at Redmond has been a spectacular success, borne out by the fact that hackers are not finding many critical security flaws in products that have been meticulously engineered and rigorously tested.

      “As we start to apply these practices [at Microsoft] to improve security, the attackers are going to look elsewhere,” Lipner said in an interview with Ziff Davis Internet News. “The people who find vulnerabilities are going to go up the stack. Thats why its important for us to share our experiences with outside companies.

      /zimages/5/28571.gifClick here to read more about SDL.

      “The attackers will start looking at end-user organizations, Web sites and ISV applications. We want the rest of the industry to be ready when those attacks happen,” he added.

      To many, the image of Microsoft as a security trend-setter is the ultimate irony. High-profile worm attacks and the slow approach to patching known vulnerabilities has helped to feed the public perception of Microsoft as having a lax approach to security.

      Lipner shrugs those concerns aside. “Im aware of the perception. I used to work in the MSRC (Microsoft Security Response Center). I took the vulnerability calls back in those days. Theres no such thing as perfection. There are technical reasons why it isnt practical to expect perfection in software. But, if you look at the improvements weve made and continue to make, I think we can hold our heads up high,” said Lipner, who co-wrote Microsofts 19-page white paper on the SDL and its benefits.

      “Were not here [at PDC] talking about security from a perspective of arrogance. Its more along the lines of us being honest and sharing what weve learned from the SDL to help customers.”

      /zimages/5/28571.gifClick here to read about Microsofts Security Response Center.

      “The days of people questioning are pretty much behind us. Customers and developers are willing to give us a hearing,” Lipner declared.

      And, he insists, the statistics back up the companys claims. Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared to just 24 advisories in Windows Server 2003, a product that was engineered under the SDLs strict procedures.

      Next Page: Microsoft positions SDL as best practice.

      Microsoft positions SDL as


      best practice”>

      According to Microsoft, initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security.

      Lipner concedes the process is not perfect—and is unlikely either to reach perfection or to cease evolving in the foreseeable future—but he stresses the need for third-party developers to take a hard look at the SDL to find ways to implement some of the principles.

      He recommends that developers look into threat modeling, security testing techniques, a final security review before a product ships, and a security response process to deal with crises.

      “We think the SDL is an industry-leading practice. It has driven security researchers to look elsewhere,” Lipner added.

      With the SDL, software engineers eat, sleep and breathe security at every stage. From the design stage through deployment, the SDL mandates that the architecture is built to protect itself from the information it processes and to resist attacks.

      A key part of the SDL is an education element where software developers are trained and retrained constantly to ensure that security is on the front burner during the creation process. At Microsoft, all personnel involved in developing software must go through yearly “security refresher” training.

      /zimages/5/28571.gifClick here to read about security in Microsofts next OS release.

      Another element that Lipner is keen to highlight is the role of the MSRC, the Microsoft unit that receives vulnerability reports and responds to emergencies like worm and virus attacks.

      “People normally think that the MSRC gets involved if the SDL fails. But, we want to make it clear that the MSRC is a key part of the process. If a vulnerability is discovered, we effectively do a mini security push to make sure not only the vulnerability has been fixed, but also that we look at that area of code to ensure no other similar vulnerability remains. We dont want to be patching the same thing month after month,” Lipner explained.

      “Every time we release a security update, we do a lessons learned document. We make sure we know where it came from and what introduced it. We try to figure out if we need to make any changes to the SDL process so we dont repeat same mistakes in future products,” he added.

      /zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×