Security Development Processes and Transparency

Hi, Michael here,

 

 

The following article, ”Major software makers fail security transparency test” caught my eye this morning, because it covers a topic of great interest to me;: companies documenting their security and privacy-related software development practices for the world to critique and perhaps more important, use.

 

 

As the article noted, Microsoft’s process has been public for nearly half a decade.

 

 

About two years ago I created a short presentation (attached) that asks many of the questions implied by the SD Times article. We support the proposition that vendors should be evaluated by criteria that are closer to the real security properties people want in their systems.  Ask your vendors: are you investing in security or certificates?

 

 

The industry clearly has a long way to go, both in terms of improving security, and explaining how they achieve or plan to achieve their security objectives.

 

About the Author
Michael Howard

Principal Security Program Manager

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Security team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Michael is an architect of the Security Development Read more »