You might have heard that January 2012 marked the ten year milestone of Bill Gates’ now famous email that started Trustworthy Computing at Microsoft. This email resulted in many changes across the company that have cascaded over the years. I have worked at Microsoft since the late 1990s, working in several roles since that time, and have seen many of the resulting changes firsthand. Perhaps the most important change at Microsoft was the creation and institutionalization of the Microsoft Security Development Lifecycle (SDL).
The SDL is a security assurance process that focuses on software development and introduces security and privacy throughout all phases of the development process. Microsoft has been using the SDL or its precursors for the past decade to inject proven security practices into the development of our software. The SDL became a company-wide mandatory policy in 2004, but the thinking and efforts to reduce vulnerabilities in our software started long before Bill sent the email on Trustworthy Computing. These were interesting times and if you haven’t read Steve Lipner’s recent article on his memories of this period, it’s worth a read; Steve is also reminiscing in this video on the milestone.
One important thing to understand about the SDL is that it is a “living” process. As new classes of vulnerabilities are discovered by researchers, and as attackers find new ways to take advantage of users of technology, we will continue to make the investments necessary in people and technology to refine and improve the Microsoft SDL, and aggressively share best practices with third-party software developers to help create a safer computing experience for everyone.
One important way we do this is by employing security science. Security science is the science inside the SDL, and it builds on an innovative foundation of research to understand how computer systems are attacked and how such attacks can be prevented or mitigated. Security science then incubates and develops cutting-edge tools and techniques that help make it harder to successfully attack software. Security science makes the SDL better three ways:
- Helping to find software vulnerabilities.
- Developing exploit mitigation techniques and tools that developers should adopt.
- Constantly monitoring threat trends and activity in the threat landscape and improving tools and processes based on these observations. If monitoring efforts determine that a new threat has entered the ecosystem, Microsoft security response processes are engaged.
Some of the major SDL and security science milestones are reflected in the infographic below:
As seen in the figure below a new version of the SDL is released internally at Microsoft on a regular basis. Each new version of the SDL has the lessons we learned since the previous version was released, baked into it. We have been doing this iteration for many years and as I look back at some of the specific process improvements that became mandatory at Microsoft over time it is easier to see how the bar was raised.
Some select examples of SDL process improvements in some past SDL releases include:
- SDL 2.1 & 2.2: Bug bar, fuzzing (file, RPC), cryptographic standards, runtime verification testing
- SDL 3.0 & 3.1: Fuzzing ActiveX controls, banned APIs, privacy standards for development, online services requirements
- SDL 3.2: Cross-site scripting defenses, SQL injection defenses, XML parsing defenses
- SDL 4.0 & 4.1: Process automation, ASLR, CAT.NET, cross-site request forgery
- SDL 5.0: Agile SDL, fuzzing (network), operational security reviews, third-party licensing security requirements
- SDL 5.1: “Sample Code” compliance with SDL
Figure: Timeline of major milestones in the evolution of the SDL at Microsoft as published in the Microsoft SDL Progress Report
We provide the SDL guidance and tools to anyone that wants to use them, for free. To date, Microsoft’s free SDL tools and resources have been downloaded over 850,000 times reaching over 150 regions around the world. Most recently, the Financial Services Roundtable, an organization chartered with finding collaborative solutions to challenges in cybersecurity, fraud reduction and critical infrastructure protection for its member companies, announced that they have successfully incorporated many of the key elements contained within Microsoft’s SDL into the guidance they provide to their member institutions; they have published the BITS Software Assurance Framework.
Of course there is plenty of work left to do, both at Microsoft and in the industry. We are planning to hold our first annual Security Development Conference. The Security Development Conference 2012 will be held in Washington D.C., May 15 – 16, 2012. This event will bring together experts from a variety of industries to discuss, share and learn about key aspects of secure development. Microsoft’s Corporate Vice President for Trustworthy Computing, Scott Charney will kick off the conference with a keynote on Tuesday, May 15th. For more details on this event please visit http://www.securitydevelopmentconference.com/ . I hope to see you at the event.