News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010

2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)

2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo

2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse

2/21/2010 to 2/24/2010
Las Vegas
IBM

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

The future of secure development at Microsoft

By David Worthington

March 15, 2009 —

Microsoft spent years shaping the requirements, tooling and cultural changes that have become indispensable parts of its Security Development Lifecycle. Today, the SDL is being revised to address emerging security threats, as well as new computing styles and paradigms that are changing the process of how Microsoft creates its software, said Steve Lipner, Microsoft's senior director of security engineering strategy.

The SDL is a mandatory process used internally at Microsoft during the development of its products, and Microsoft began to share its SDL expertise and tooling with customers last year.

A team of security scientists at Microsoft is dedicated to researching new classes of vulnerabilities and emerging technologies, said Lipner. The team develops and updates tools in response to threats; the tools are eventually incorporated into the SDL after they reach maturity. The company also consults with external researchers during the security review process.

"As we learn about vulnerability types, we address them with the compiler," said Michael Howard, principal security program manager of the SDL Team. "The Visual C++ compiler offers a lot of defenses for free.

"I spend hours each day reading security research, draft documents on security protocols, and about the security implications of some technologies to stay on top of what happens in this industry."

While that research often results in Microsoft adapting its technologies and SDL requirements to address vulnerabilities, the company is acutely aware that additional requirements can hold products up. To balance security with its need to ship software, Microsoft tests new SDL requirements across the company before they become mandatory, Howard said. "Lots of rigor goes into making a requirement," he added.

"I personally feel that Microsoft has been doing a fantastic job in this area. In fact, I have high hopes that Microsoft will be pushing more of their secure design methods down into Visual Studio and its development processes," said Caleb Sima, cofounder and former CTO of SPI Dynamics. Hewlett-Packard acquired the company in 2007.

Microsoft is in the planning stage for a new version of the SDL that will be released internally later in the year, according to Howard. One of the main objectives in the revision is to marry the SDL with agile programming methodologies.

"More products at Microsoft are being developed using agile methods," said Howard. "The downside is that some of the stuff in SDL can take a long time to come to fruition. You can't do that on every single sprint."

"Sprint" is a term used in Scrum development to describe the period of time that it takes a team to increment usable software. "Incrementing" is the act of creating a new build on top of a previous version.

"The SDL was originally designed for Windows, and it was slotted to the Windows timeframe and development methodology," said Howard. Fearing that it was incompatible with agile development, Microsoft began its efforts to marry the SDL to agile on a small scale.

Parts of Microsoft's developer division and the SQL Server product team have been experimenting with adapting the SDL to agile. Those teams were able to "bucketize" requirements into easy, low-friction bundles that didn't slow the sprint, said Howard.

One example of how teams adapted the SDL is how they handled threat modeling. Microsoft uses a threat modeling tool internally to review the design and implementation of its software in order to determine requirements for security features.

"A threat model can take a month to build," Howard said. Instead of creating a full threat model, the teams documented components that they were creating for each sprint, he explained. "It didn't impede any deliverables from any sprint, and the teams were happy."

Additionally, SDL requirements will vary with code and languages, another major factor in evolving the SDL to new computing styles and paradigms, said Lipner. "We optimize the SDL for new development models and processes."

For example, the Windows Live team will focus more on SQL injections than buffer overruns. However different their products may be in form, Microsoft's product groups still have equivalent requirements and must follow the same verification process that mandates the SDL, he noted.

That has permitted the SDL process to become more automated. "Originally the SDL was about questions; programming managers checked to see if things were done," said Lipner.

Additionally, there is a training requirement for engineers in software groups that are covered by the SDL. Microsoft engineers receive annual training on security considerations, and they were initially enrolled in live courses three to six times a week, Lipner said. Live training has since been reduced to special occasions, having been mostly replaced with online courses.

"The next step for the SDL or something similar is broad acceptance in academia. We need developers trained on SDL and we need a special program for SDL testing experts," said Jon Oltsik, a senior analyst at Enterprise Strategy Group.

Microsoft also updates the SDL to fill gaps so that certain vulnerabilities do not resurface in other products. For instance, testing tools were updated in response to a flaw in the way that Windows handles animated cursor files. Said Howard: "The updated tools found it quickly." He noted that it is important that developers focus on extra defenses.

"At the end of the day, the SDL is divided into two huge buckets: [getting] the code right and also knowing that we're never going to be 100% correct," Howard said. While it is honorable to focus on trying to get the code right, there is an inevitability of failure, he explained.

In early February, self-declared sleuths uncovered two serious vulnerabilities in Microsoft's implementation of its User Account Control application privilege security feature in Windows 7. The vulnerabilities, which have since been corrected, would permit malicious software to turn off UAC or even to elevate its own privileges on systems where the user account had administrative access.

Microsoft has redesigned UAC to run in a high-integrity process, meaning that malware would require elevation prior to changing the level of security that UAC provides. Lipner explained that the UAC feature is at the boundary between usability and security mitigation. "One thing you don't want to do is to go too far toward security and away from usability; that may make someone turn the feature off altogether," he said.

"I look at this and I say 'mistake,' and that is it. Not a fundamental flaw in their secure development process, which (by the way) is the most advanced process that any software company has to date. Issues come up, but overall the security of their system has done well," said HP's Sima.

Sima predicted that there would likely be "black hat" talks demonstrating how a hacker could bypass Microsoft's security restrictions, but he stated that what really matters is how much the number of security disclosures of Windows vulnerabilities has fallen since the days before the SDL.

"Considering that the intellect of the hacker has gone up since then, and the market adoption is higher [while] the vulnerabilities are lower, [tell] me that Microsoft is on the right track. They may not be perfect, but I'm impressed," he said.

There is a growing number of people who have the motive, opportunity and skills to attack, said Rex Black, president of Rex Black Consulting Services.

"What we have seen over the last decade is nothing less than the wholesale professionalization of computer crime, with the Internet as the highway that makes the modern-day digital highwayman possible," he said. And with tens of millions of lines of constantly evolving code, it is just a matter of time until a defect slips by, he added.

He explained that Microsoft was going against a formidable foe, and its software engineers must come to grips with the size, complexity and constant mutability of Windows—essentially playing a game of multidimensional chess against hackers. Another major current is environmental churn—changes in the technological environment in which the operating system exists—that may make it difficult to for Microsoft to foresee threats that may not exist at the time the software is written, he said.

"While the SDL can and should be part of the solution, the problem we face is one that absolutely will not submit to a single solution, no matter how well executed, especially when that solution is executed by fallible human beings in a situation that exceeds the complexity of anything we've built in 10 millennia of human civilization," Black concluded.

Microsoft is under no pretense that the SDL is absolutely perfect, as Microsoft's Howard acknowledged. "Threats are constantly evolving, and it's important that we stay on step ahead of those threats," he said.

For those interested in the stories behind the creation of the SDL, you can read about Lipner's "war stories" here.

Related Search Term(s): Microsoft, security

Share this link: http://www.sdtimes.com/link/33340

Microsoft focuses on security development life cycle A change from the previous ways of handling application security, Microsoft is embracing the security development life cycle in its products and launching a series of programs to let customers take part in this new security method.

Microsoft's Midori to sandbox apps for increased security The Midori project, Microsoft's effort to design a post-Windows, next-generation operating system, is projected to offer memory access control, to protect against privilege elevation attacks and to enforce least-privilege computing.

Microsoft adapts SDL to agile development Changes to the SDL facilitate security testing during development, but experts warm about disruption to agile teams

Add comment

Name*
Email*
Country

Comment
Preview

The future of secure development at Microsoft

By David Worthington

Related Articles

Add comment