Steve Lipner here.
Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, but this time we also spoke with publications and analysts who write for software development organizations. I was struck by the extent to which the folks who focus on development have been grappling with many of the issues about developing secure software that we’ve focused on here at Microsoft.
Security beat reporters, whom we have been working with for years, have been exposed to a regular stream of news on the latest bugs, worms and viruses, and Microsoft’s ability to react quickly to customers affected by those attacks with patches has been the industry story for many years. Last week, I had an opportunity to get out and tell the other side of the story – what we are doing proactively as a major software vendor and platform provider to help eliminate vulnerabilities during the development process. Based on feedback from reporters and analysts who know this space, our work to take Microsoft’s SDL best practices and share them externally has clearly been a need in the industry for a long time.
The specific occasion that motivated me to spend a week in conference rooms, airplanes and hotel rooms was today’s announcement of new initiatives in sharing aspects of the SDL with the development community. These initiatives don’t make secure development a “cut and dried” process, but I believe they will take things one step further toward enabling developers to build more secure software. I’d encourage you to look at our announcements. I’m really excited that we’re taking these new steps to share more of our secure development practices and tools with developers who need them.
As always, we’d welcome your feedback about these new programs and what we should do next.