Early Days of the SDL, Part Three

Glenn here. It’s easy to look back on a career in software and see the highlights in terms of the big features pushed to meet a customer need, the milestones met, and the products shipped; but one of the highlights of mine was a fairly innocuous off-site meeting in October 2001, at a pretty conference centre just a few miles from campus.


The meeting was originally set up as a strategy meeting for my then (and now) boss, Steve Lipner’s direct reports, but it quickly got diverted onto the subject of how we, as part of Windows, could respond to the spate of worms that had affected our customers in the previous few months.


I very distinctly recall the discussion turning to Mike Howard’s recent experiences on the “Security Stand-down” for the recent .NET Framework v1.0 release, and somebody remarking that it would be good if we could do something similar for Windows. Perhaps it’s a “movie memory”, but I remember there being silence, or skepticism at that suggestion – how would something like that be possible on a project like Windows? – but as we continued to explore, we somehow managed to convince ourselves that it was an idea worth pursuing.


That meeting was one small step, probably the first step, on the way to the “Windows Security Push”, but the ideas and drive that came out it set us on the path to the SDL, a key part of our development process.


I wish I still had the flipchart!


About the Author
Glenn Pittaway

Senior Director, Trustworthy Computing