Buoyed by the success of an internal blueprint used to cut down on security vulnerabilities in Internet-facing software products, Microsoft Corp. is preaching the “Security Development Lifecycle” to partners and third-party developers.
The SDL, a collection of high-level principles and procedures covering every stage of software creation at Microsoft, was the topic du jour at a security symposium at last weeks Professional Developers Conference, where Redmond shared insider tips and best practices to guide the “cradle to grave” software process.
“We think we have our act together in terms of having a well-documented process to create software to withstand malicious attack. Now were starting to talk to customers about what it is and what it can mean for them,” said Steve Lipner, director of security engineering strategy at Microsoft.
Lipner, who led the PDC discussions, said the mandatory implementation of the SDL at Redmond has been a spectacular success, borne out by the fact that hackers are not finding many critical security flaws in products that have been meticulously engineered and rigorously tested.
“As we start to apply these practices [at Microsoft] to improve security, the attackers are going to look elsewhere,” Lipner said in an interview with Ziff Davis Internet News. “The people who find vulnerabilities are going to go up the stack. Thats why its important for us to share our experiences with outside companies.
“The attackers will start looking at end-user organizations, Web sites and ISV applications. We want the rest of the industry to be ready when those attacks happen,” he added.
To many, the image of Microsoft as a security trend-setter is the ultimate irony. High-profile worm attacks and the slow approach to patching known vulnerabilities has helped to feed the public perception of Microsoft as having a lax approach to security.
Lipner shrugs those concerns aside. “Im aware of the perception. I used to work in the MSRC (Microsoft Security Response Center). I took the vulnerability calls back in those days. Theres no such thing as perfection. There are technical reasons why it isnt practical to expect perfection in software. But, if you look at the improvements weve made and continue to make, I think we can hold our heads up high,” said Lipner, who co-wrote Microsofts 19-page white paper on the SDL and its benefits.
“Were not here [at PDC] talking about security from a perspective of arrogance. Its more along the lines of us being honest and sharing what weve learned from the SDL to help customers.”
“The days of people questioning are pretty much behind us. Customers and developers are willing to give us a hearing,” Lipner declared.
And, he insists, the statistics back up the companys claims. Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared to just 24 advisories in Windows Server 2003, a product that was engineered under the SDLs strict procedures.
Microsoft positions SDL as
According to Microsoft, initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security.
Lipner concedes the process is not perfect—and is unlikely either to reach perfection or to cease evolving in the foreseeable future—but he stresses the need for third-party developers to take a hard look at the SDL to find ways to implement some of the principles.
He recommends that developers look into threat modeling, security testing techniques, a final security review before a product ships, and a security response process to deal with crises.
“We think the SDL is an industry-leading practice. It has driven security researchers to look elsewhere,” Lipner added.
With the SDL, software engineers eat, sleep and breathe security at every stage. From the design stage through deployment, the SDL mandates that the architecture is built to protect itself from the information it processes and to resist attacks.
A key part of the SDL is an education element where software developers are trained and retrained constantly to ensure that security is on the front burner during the creation process. At Microsoft, all personnel involved in developing software must go through yearly “security refresher” training.
Another element that Lipner is keen to highlight is the role of the MSRC, the Microsoft unit that receives vulnerability reports and responds to emergencies like worm and virus attacks.
“People normally think that the MSRC gets involved if the SDL fails. But, we want to make it clear that the MSRC is a key part of the process. If a vulnerability is discovered, we effectively do a mini security push to make sure not only the vulnerability has been fixed, but also that we look at that area of code to ensure no other similar vulnerability remains. We dont want to be patching the same thing month after month,” Lipner explained.
“Every time we release a security update, we do a lessons learned document. We make sure we know where it came from and what introduced it. We try to figure out if we need to make any changes to the SDL process so we dont repeat same mistakes in future products,” he added.