Microsoft’s security development lifecycle (SDL), a methodology for secure software development, is going beyond the corporate walls of the Redmond, Wash.-based software firm and into the hands of enterprise software producers, according to company executives.
At Microsoft’s Security Day event held in Bellevue, Wash. last Friday, executives said the SDL has been made publicly available for developer shops for use in their own environment as a means to produce bug-free applications.
Without getting into specifics, Michael Howard, senior security program manager at Microsoft’s security engineering team, said there are now at least half-a-dozen organizations that have adopted SDL and integrated it into their own development process.
Howard stressed that the SDL is not expected to completely eliminate software vulnerabilities, but the goal is to reduce vulnerabilities. It’s also aimed at decreasing the severity of a vulnerability that may exist in a particular piece of code.
“SDL is not a panacea; [It] will not eliminate all vulnerabilities, and even if we eliminate all vulnerabilities known to mankind today, there’ll still be a new one tomorrow,” Howard said.
More information on Microsoft’s SDL and how organizations may integrate it into their own environment is offered in a book titled, The Security Development Lifecycle, co-authored by Howard with Steve Lipner, senior director of security engineering strategy at Microsoft.
The book discusses, among others things, methods for using streamlined risk analysis process to find security design issues before code is committed.
It also offers instruction on applying secure coding and testing best practices, conducting final security reviews prior to product ship, and integrating security discipline into agile methods and processes, such as Extreme Programming and Scrum.
While specific tools (primarily based on Visual Studio) are prescribed for adopting SDL, the process is language-agnostic and can be integrated into an existing development process, according to Stephen Toulouse, senior program manager for Microsoft’s trustworthy computing group.
Under the SDL process, creating new software would require developers to sit down and brainstorm on how a particular product could be misused, even before they’ve started writing the software, Toulouse explained. Code testing is automated and the entire process is documented so everybody can learn from past mistakes and improve on them, he added.
Microsoft’s latest version of its operating system Windows Vista had gone through the SDL process. Compared to its predecessor, Windows XP, Vista has seen a 65 per cent reduction in the number of vulnerabilities, Howard said.
Although Microsoft’s SDL does not seem to offer anything that most IT security experts don’t already know, it is a useful tool for software developers, particularly those who have not really been trained to write secure codes, said Francis Ho, spokesperson for Toronto-based Federation of Security Professionals.
“Typically with programmers they are guided by, ‘I’ve got to deliver this by this day,’ and security usually is an inhibitor to what they want to do,” Ho said.
The notion of writing secure software has been around for decades but has failed to gain much traction, Ho said. “What Microsoft did was put it in a nice book…and maybe this would be a good start (for instituting secure coding).”
Microsoft’s popularity among developers in Canada and North America can be instrumental to the success of its SDL, said Michelle Warren, research analyst at Info-Tech Research in London, Ont.
“[SDL] enables developers to address their projects with security in the forefront of their mind…so the end-product will not require as much work to go back and edit, change or tweak because all of the security will be built in,” Warren noted.
Ho said for the SDL to succeed in an enterprise development environment it needs the support of management, similar to Bill Gates’ commitment when Microsoft embarked on the SDL. “Most senior executives view security as an IT problem and until that changes, they’re going to have a long hill to climb.”
As enterprise customers increasingly become more conscious about the security of the software products they purchase, however, vendors will have to start focusing more on secure coding, Ho added.
“There’s no absolute security and all you can do is better do what you did before. I think [SDL] is a good thing. Do I think the software industry is going there, I think in spurts they are,” he said.