LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

There WILL be a JavaOne this year
JavaOne will happen in 2010, as a co-located event with Oracle's OpenWorld, on Sept. 19-23 in San Francisco.
01/27/2010 01:02 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Microsoft focuses on security development life cycle


By David Worthington
September 25, 2008 — 
From ILOVEYOU to Code Red, Microsoft faced an onslaught of security exploits at the onset of the decade. Taking those events as a wakeup call, it changed its approach to security, adopting a security development life cycle (SDL) and creating an internal threat modeler.

Now, Microsoft is launching programs to take its SDL experience to its customers, and will offer tooling to help organizations review the design and implementation of their software in order to determine requirements for security features.

Threat modeling processes have been in use at Microsoft since 1999, and the threat modeling tool is a core element of the SDL, said Adam Shostack, senior product manager for the program. Microsoft’s objective is to transform threat modeling from an expert-led process into one that any software architect can perform effectively, he said.

“We looked to develop a process built around things typical software engineers understand—they will know how their software is actually built,” Shostack said. The tool contains a bug reporting feature so developers can treat security vulnerabilities the same way that they already deal with defects and features, he said.

“It pushes people to use the threat model as a driver for the entire security development process,” added Shostack.

It is not rigid, however. Users can choose not to model certain threats that they feel are not a tampering concern, Shostack said, by selecting those elements and choosing an explanation for why they are omitting them. The tool also provides an advisory area that informs users when the modeling process is finished. “People weren’t often sure when the process was done,” he said.

“Microsoft’s approach and new threat modeling tool make it easy for application developers to identify potential security issues without having to be security experts,” said senior Forrester analyst Mike Gualtieri. “I like how the tool generates not only a list of potential security issues, but also explanations.”

“There is no good commercial tool that does this,” observed Neil MacDonald, a Gartner fellow and vice president. “Microsoft created a wizard-type tool for threat modeling. Even if you don’t like Microsoft, the tool is useful.”

The threat modeling program will become generally available in November, according to Steve Lipner, Microsoft’s senior director of security engineering strategy. It will integrate with Visual Studio in order to file bugs and will be a free download, he said.

A one-year pilot program, dubbed SDL Pro Network, will train security experts in tools and guidance associated with the SDL, said Lipner. Nine companies in Europe and the United States are participating in the initial program. Microsoft’s goal is to scale the program for broader membership, he said.

To complement that effort, Microsoft is introducing a maturity model that it refers to as the SDL optimization model. It is designed to help organizations self-assess practices for secure development and to provide SDL Pro Network members with a standard framework for providing services, Lipner said.

Microsoft has based the program on its existing infrastructure optimization models (APO, BPIO and Core IO), according to the company. The SDL optimization model keys in on policy and organizational capabilities; requirements and design; implementation; verification; and release and response.

“Microsoft has talked about taking SDL external for a while,” said Gartner’s MacDonald. He noted that the programs are an expansion of the work its consulting and professional services have done already.

“It makes great sense. We point to Microsoft as best in class in terms of incorporation of security into the development life cycle,” MacDonald said, adding that many of Microsoft’s customers struggle with how to modify processes, establish metrics and, most important, foster a culture that embraces security. He said that learning how Microsoft accomplished those tasks would help organizations tackle cultural and political challenges that are often much greater than the technical hurdles they face.

“We are asking customers to make [SDL] a priority,” said Microsoft’s Lipner. “We are making our SDL experience available to developer organizations with the hope that they will reflect the lessons in code that they ship.”

Attacks stack up
That commitment is important because attacks are moving up the stack from major operating systems into the application layer, while Microsoft software is becoming more secure, he explained.

To prove its contention, Microsoft referred to data from the IBM X-Force 2007, 2008 Security Report, which reveals that Microsoft’s total share of disclosed vulnerabilities had fallen over the past year. Microsoft says that after adopting the SDL, there was a 45% reduction in total vulnerabilities one year after release between Windows XP and Windows Vista.

The 2007 Microsoft Security Intelligence Report tallies 504 major operating system vulnerabilities found in 2006, compared with 6,099 for applications.

“The responsibility for producing secure applications ultimately belongs in development,” said Gartner’s MacDonald. Vendors that treat it that way are on the right track, he said.

“Think about security in requirements,” MacDonald said. “That’s what Microsoft is talking about.”


Related Search Term(s): securitysoftware developmentMicrosoft


Share this link: http://www.sdtimes.com/link/32894
 

Comments

03/16/2009 07:05:00 AM EST

I started programming on English Electric Leo's and ICL 1900's, then moved to IBM MFT/MVT and MVS and Z/OS. There has never been a security problem with any of those operating systems. How come Microsoft allowed all the problems they had to happen? And IBM didn't? Namaste Clem

AustraliaClement Clarke


03/16/2009 03:23:33 PM EST

Clement - You are not seriously asking this question, are you? The words: "Attack surface", "complexity", etc... all come to mind. -Mark

United Statesmark feferman


Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading