Hi everyone, Shawn Hernan here. Being a security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsoft’s SDL process reflects that reality. The process is structured so that you really do have to look at each piece before you can sign off. But sometimes when others want to emulate the success of the SDL, they want to skip steps. They try to boil the SDL down into its component parts, like training, or tooling, or security response. Maybe the most common form of that mistake is training, but you see that same thinking applied to code scanning, security response, and just about every phase of the SDL. “Let’s just train everyone, and all our security problems will go away.” If only it were so easy. I’d like to take a few minutes to try to explain why it’s not really that easy from my own experience.
Have you ever sat in a corporate training? Some are good, some are bad, but did you ever say, “man I can’t wait for training today.” What about mandatory training? What about mandatory training in a subject that you really don’t think is your area? What if you had to do it every year, and got harassed if you didn’t do it? What if you were, say, an audio engineer and were dragged into a security class?
I ran the SDL training program at Microsoft for a long time, and developed and taught a big chunk of the training. I spent hundreds of hours in front of thousands of developers, testers, and program managers. I got some really good reviews (and a few bad ones) on the classes I offered. And I tried to do a lot of things to try to make the trainings interesting. I handed out dozens of fresh peaches in an early class on fuzz testing, for example. The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach.
But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they weren’t going to go back to their offices and spend weeks applying the lessons from the class, setting aside other things that are causing present and immediate problems in favor of something that is far off into the future.
You have to work at getting people’s attention – especially as it relates to security and privacy. From time to time, I would see people reading their mail in class, and I would point to them and ask them a question. That did not endear me to the audience as much as the peaches, but embarrassment is always fresh and in season. J
One student wrote of one of my classes, “the basics for secure design – could be replaced by non-anonymous site-wide exam with open material.” He was not alone, I assure you.
Is that an indication that our training, or any training, is pointless? Hardly, but training alone is not a change agent.
Richard Derwent Cooke wrote, “It is a first principle of Change Management that people will act in what they perceive as being their best interests.”
At best, training can provide people with insight into what they need to do to solve a security problem if they believe that solving that security problem is in their best interests.
To be effective, training needs to happen in an environment:
· Where expectations are clearly set (the SDL sets specific minimum requirements).
· People have appropriate incentives and consequences (security is a great career path at Microsoft, and nobody wants to be the one holding up a ship schedule for failure to meet a security requirement).
· Where tools and resources to accomplish the goals are available (we build a whole variety of tools that map to the SDL requirements).
· Where management models the behavior (recall the original BillG TWC memo).
· Where the environment reflects and supports the values presented in the training (apparent in everything Microsoft does).
Don’t make the mistake of thinking that a bunch of training, even really high quality training done periodically, will result in actual behavior change. It won’t. You have to build an environment where people perceive solving security problems as being in their best interests. You have to make security their problem – not in the sense of passing the buck, but in the sense of changing their behavior so they will bring security problems to you.
To illustrate further, I’ll cite two examples. First, fuzz testing. Fuzz testing has been a success story here at Microsoft. Tools arise spontaneously to solve new fuzzing challenges, written by people who believe the challenges are their challenges. There are people who feel ownership for our fuzzing strategy and on-going research and science, there are specific goals and requirements, we have training (remember the peaches?), and internally developed fuzzers have won prestigious awards within the company, handed out by members of the executive staff, and all of this gets revisited periodically as part of the SDL.
By contrast, I’ll choose a less successful area – defect estimation. On my own volition, I created (based mostly on some excellent material from Microsoft Research) and taught a class called “Defect Estimation and Management” and added it to the SDL curriculum. Microsoft is a great place to work in that regard. It was pretty close to the best-reviewed class I taught. But, we have not yet been able to establish a set of tools to estimate security defect density effectively, and establish a fair set of expectations, incentives, and consequences, or even decide what we should do if we had the data. We discovered some things, though. For example, based on what I observed (which should not be construed as rigorous research), it does not appear as if the density of general defects correlates closely with the density of security defects. And Microsoft Research found higher code coverage in testing correlates with higher bug rates in the field.
And so even though people like the idea of defect estimation, and we’ve got some interesting and surprising data, we’ve not yet been successful in changing people’s behavior. Generally speaking, an individual test manager does not feel that establishing a high quality estimate of their defect density is in his or her best interests, as compared to, say, improving the time in which an established series of tests can be performed .
We need to build an environment that has the tools, training, rewards and incentives, and expectations and consequences to change people’s behavior. Not that we’re not trying. But training won’t solve it alone, nor would tools, trophies, rants, testing, code review, or some edict from on high. The SDL is as much about changing the culture and influencing the behavior of individual engineers as it is anything else.
I’m convinced that Microsoft’s SDL process works because it addresses the end-to-end problem – from training through servicing, and provides a complete environment where people feel ownership of their part of the security problem and have the resources to solve it.
So the next time you find yourself sitting in some mandatory training, remember the lessons of the SDL (and most of the research on human performance management): training alone won’t cut it. If you want real behavior change, there have to be things outside the lecture room to influence people to change their behavior.