WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH NEWS ON MONDAY SPTECHREPORT SPTECHWEB SPTECHCON IPHONE/IPAD DEVCON ANDROID DEVCON PRIVACY POLICY CONTACT US

HOME >> LATEST NEWS

The future of secure development at Microsoft

By David Worthington

March 15, 2009 — (Page 1 of 4)
Microsoft spent years shaping the requirements, tooling and cultural changes that have become indispensable parts of its Security Development Lifecycle. Today, the SDL is being revised to address emerging security threats, as well as new computing styles and paradigms that are changing the process of how Microsoft creates its software, said Steve Lipner, Microsoft's senior director of security engineering strategy.

The SDL is a mandatory process used internally at Microsoft during the development of its products, and Microsoft began to share its SDL expertise and tooling with customers last year.

A team of security scientists at Microsoft is dedicated to researching new classes of vulnerabilities and emerging technologies, said Lipner. The team develops and updates tools in response to threats; the tools are eventually incorporated into the SDL after they reach maturity. The company also consults with external researchers during the security review process.

"As we learn about vulnerability types, we address them with the compiler," said Michael Howard, principal security program manager of the SDL Team. "The Visual C++ compiler offers a lot of defenses for free.

"I spend hours each day reading security research, draft documents on security protocols, and about the security implications of some technologies to stay on top of what happens in this industry."

While that research often results in Microsoft adapting its technologies and SDL requirements to address vulnerabilities, the company is acutely aware that additional requirements can hold products up. To balance security with its need to ship software, Microsoft tests new SDL requirements across the company before they become mandatory, Howard said. "Lots of rigor goes into making a requirement," he added.

"I personally feel that Microsoft has been doing a fantastic job in this area. In fact, I have high hopes that Microsoft will be pushing more of their secure design methods down into Visual Studio and its development processes," said Caleb Sima, cofounder and former CTO of SPI Dynamics. Hewlett-Packard acquired the company in 2007.

Microsoft is in the planning stage for a new version of the SDL that will be released internally later in the year, according to Howard. One of the main objectives in the revision is to marry the SDL with agile programming methodologies.

Related Search Term(s): Microsoft, security

Pages 1 2 3 4

Share this link: http://sdt.bz/33340

Most Read Latest News Blog Resources

Branching and merging: the heart of version control
Providers hold their own views of the landscape, but the Git SCM system is drawing looks from them all

Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles

Microsoft pivots toward business intelligence
The goal is to make business intelligence accessible "to the masses"

From the Editors: Node.js is unruly, but that’s where the fun is
The time to get involved with Node.js is now; Hadoop is about to break its own barriers

Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists

Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles

Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions

Microsoft pivots toward business intelligence
The goal is to make business intelligence accessible "to the masses"

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.

Bloomberg opens its API
Bloomberg's APIs could lead to a future standard for accessing market data.

The Hidden Costs of Software Licensing Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...

Case Study: You May Need a Development Mechanic As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...

Ensuring Software Quality at a Major International Bank One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...

Load Testing Adobe Flex Applications Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan.

Microsoft focuses on security development life cycle A change from the previous ways of handling application security, Microsoft is embracing the security development life cycle in its products and launching a series of programs to let customers take part in this new security method.

Microsoft's Midori to sandbox apps for increased security The Midori project, Microsoft's effort to design a post-Windows, next-generation operating system, is projected to offer memory access control, to protect against privilege elevation attacks and to enforce least-privilege computing.

Add comment

Name*
Email*
Country

Comment

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
FEBRUARY 2012 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST

Bloomberg opens its API
Bloomberg's APIs could lead to a future standard for accessing market data.
02/01/2012 04:41 PM EST

The case for piracy
In the aftermath of SOPA and PIPA, some copyright holders have begun to embrace piracy as inevitable...and even beneficial.
01/30/2012 02:39 PM EST

Tablet sales boom, but applications lag
The installed base of tablet computers and e-book readers is growing rapidly, but no killer app has yet emerged -- hint, hint.
01/28/2012 05:48 PM EST