Microsoft focuses on security development life cycle

By David Worthington

September 25, 2008 —

From ILOVEYOU to Code Red, Microsoft faced an onslaught of security exploits at the onset of the decade. Taking those events as a wakeup call, it changed its approach to security, adopting a security development life cycle (SDL) and creating an internal threat modeler.

Now, Microsoft is launching programs to take its SDL experience to its customers, and will offer tooling to help organizations review the design and implementation of their software in order to determine requirements for security features.

Threat modeling processes have been in use at Microsoft since 1999, and the threat modeling tool is a core element of the SDL, said Adam Shostack, senior product manager for the program. Microsoft’s objective is to transform threat modeling from an expert-led process into one that any software architect can perform effectively, he said.

“We looked to develop a process built around things typical software engineers understand—they will know how their software is actually built,” Shostack said. The tool contains a bug reporting feature so developers can treat security vulnerabilities the same way that they already deal with defects and features, he said.

“It pushes people to use the threat model as a driver for the entire security development process,” added Shostack.

It is not rigid, however. Users can choose not to model certain threats that they feel are not a tampering concern, Shostack said, by selecting those elements and choosing an explanation for why they are omitting them. The tool also provides an advisory area that informs users when the modeling process is finished. “People weren’t often sure when the process was done,” he said.

“Microsoft’s approach and new threat modeling tool make it easy for application developers to identify potential security issues without having to be security experts,” said senior Forrester analyst Mike Gualtieri. “I like how the tool generates not only a list of potential security issues, but also explanations.”

“There is no good commercial tool that does this,” observed Neil MacDonald, a Gartner fellow and vice president. “Microsoft created a wizard-type tool for threat modeling. Even if you don’t like Microsoft, the tool is useful.”

The threat modeling program will become generally available in November, according to Steve Lipner, Microsoft’s senior director of security engineering strategy. It will integrate with Visual Studio in order to file bugs and will be a free download, he said.

A one-year pilot program, dubbed SDL Pro Network, will train security experts in tools and guidance associated with the SDL, said Lipner. Nine companies in Europe and the United States are participating in the initial program. Microsoft’s goal is to scale the program for broader membership, he said.

To complement that effort, Microsoft is introducing a maturity model that it refers to as the SDL optimization model. It is designed to help organizations self-assess practices for secure development and to provide SDL Pro Network members with a standard framework for providing services, Lipner said.

Microsoft has based the program on its existing infrastructure optimization models (APO, BPIO and Core IO), according to the company. The SDL optimization model keys in on policy and organizational capabilities; requirements and design; implementation; verification; and release and response.

“Microsoft has talked about taking SDL external for a while,” said Gartner’s MacDonald. He noted that the programs are an expansion of the work its consulting and professional services have done already.

“It makes great sense. We point to Microsoft as best in class in terms of incorporation of security into the development life cycle,” MacDonald said, adding that many of Microsoft’s customers struggle with how to modify processes, establish metrics and, most important, foster a culture that embraces security. He said that learning how Microsoft accomplished those tasks would help organizations tackle cultural and political challenges that are often much greater than the technical hurdles they face.

“We are asking customers to make [SDL] a priority,” said Microsoft’s Lipner. “We are making our SDL experience available to developer organizations with the hope that they will reflect the lessons in code that they ship.”

Attacks stack up
That commitment is important because attacks are moving up the stack from major operating systems into the application layer, while Microsoft software is becoming more secure, he explained.

To prove its contention, Microsoft referred to data from the IBM X-Force 2007, 2008 Security Report, which reveals that Microsoft’s total share of disclosed vulnerabilities had fallen over the past year. Microsoft says that after adopting the SDL, there was a 45% reduction in total vulnerabilities one year after release between Windows XP and Windows Vista.

The 2007 Microsoft Security Intelligence Report tallies 504 major operating system vulnerabilities found in 2006, compared with 6,099 for applications.

“The responsibility for producing secure applications ultimately belongs in development,” said Gartner’s MacDonald. Vendors that treat it that way are on the right track, he said.

“Think about security in requirements,” MacDonald said. “That’s what Microsoft is talking about.”

Related Search Term(s): security, software development, Microsoft

Share this link: http://www.sdtimes.com/link/32894

Microsoft's plans for post-Windows OS revealed A componentized non-Windows operating system is in the works at Microsoft, one that could eventually phase out Windows. The OS features asynchronous-only architecture built for task concurrency.

Microsoft adapts SDL to agile development Changes to the SDL facilitate security testing during development, but experts warm about disruption to agile teams

The future of secure development at Microsoft Microsoft is continually evolving its Security Development Lifecycle processes to tackle new vulnerabilities and technologies as they emerge, as well as adapting its processes to agile development.

Comments

03/16/2009 07:05:00 AM EST

I started programming on English Electric Leo's and ICL 1900's, then moved to IBM MFT/MVT and MVS and Z/OS. There has never been a security problem with any of those operating systems. How come Microsoft allowed all the problems they had to happen? And IBM didn't? Namaste Clem

AustraliaClement Clarke

03/16/2009 03:23:33 PM EST

Clement - You are not seriously asking this question, are you? The words: "Attack surface", "complexity", etc... all come to mind. -Mark

United Statesmark feferman

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST