News

Microsoft Launches New Security Approach

Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software

By Jeremy Kirk, IDG News Service (London Bureau)

September 17, 2008 — CSO —

Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software.

Microsoft began to take security seriously around 2001. Coding problems in its software opened the door to an intense new wave of malicious worms, or self-propagating programs that crashed e-mail servers, created botnets and stole user passwords, causing costly damage to businesses.

In response, Bill Gates launched the Trustworthy Computing Initiative in early 2002. Two years later the company had refined what it calls the Security Development Lifecycle (SDL), or its processes to ensure it writes near-bulletproof code.

Use of the SDL has reduced the number of security vulnerabilities in its Windows Vista operating system and SQL Server, one of its database programs, compared to older versions of the software, said Steve Lipner, senior director of security engineering strategy for Microsoft's Trustworthy Computing Group.

Extending the SDL to ISV (independent software vendors) and other developers for enterprises, such as banks, strengthens confidence in Microsoft and software designed for Windows, Lipner said.

"If somebody is using a third-party application on the Microsoft platform, they are still a Microsoft customer," Lipner said. "We want their computing experience to be safe and secure."

Two of the tools are free. The SDL Optimization Model is a questionnaire and checklist that evaluates an organization's security development practices. It looks at how a company responds to new security alerts and patches, and issues such as training and threat modeling.

Microsoft will offer the SDL Optimization Model for download on its SDL Web page in November.

"We think that's going to be a great resource for people who want to get into the SDL and need to figure out how they get started," Lipner said.

The other freebie is an application called the SDL Threat Modeling Tool 3.0, which will help software architects who aren't versed in security to spot potential security issues in software they are designing.

"If you're a developer, telling you things like 'Think like an attacker' isn't helping," said Adam Shostack, senior program manager for the Security Development Lifecycle Team.

The application lets software architects diagram aspects such as data flows. Microsoft has encoded into the program rules that security engineers would follow when working with software. Users of Threat Modeling Tool get instant feedback, Shostack said. Microsoft will put the tool on its Microsoft Developer Network download center in November.

The last component is the formation of a group of companies that can advise other companies on the SDL. The SDL Pro Network is a group of nine security service providers, consultancies and training companies.