Evolving Secure Code at Microsoft and Beyond

TwC NextSteve Lipner here…

Over the past few weeks, Microsoft has been reflecting on the ten year anniversary of the Trustworthy Computing initiative; thinking about the things that have led us to this point in our history and speculating about the future.

Obviously a big part of our work has been the creation and evolution of the Microsoft Security Development Lifecycle (SDL). In our case, security has evolved in large part because of the issues that we faced early on.  As referenced in my previous post, the uphill battle we fought in the early years put a negative spotlight on our products and our ability to keep customers safe.

By learning from our weaknesses and from close observation of the evolving threat landscape, we were able to make progress against the challenges by employing an effective approach to developing more secure software. The most prominent and arguably the most important attribute of our evolution lies in our commitment to the SDL – a comprehensive approach for writing more secure code. Under the Microsoft Trustworthy Computing umbrella, the SDL is considered the most battle-tested and effective software security assurance process in the industry.

Clearly Microsoft products are not the only ones being targeted by cybercriminals. Today there is an industry dedicated to finding security vulnerabilities; motivated security researchers are in a race to discover the next big vulnerability in hopes of selling them on the open market.  So how does Microsoft work with the industry to help build a safer, more trusted computing ecosystem?  One way is by freely sharing our prescriptive guidance around the SDL methodology and tools so that other organizations can build more secure software.

We’ve noticed that IT dependent organizations are no longer satisfied with the latest “Top n list” of security practices; instead they are demanding prescriptive practices like the SDL that make deliberate value judgments on security practices based on real world effectiveness.  We’re proud of our efforts here – no other software vendor shares their tools and resources to the extent that we have. We feel strongly that by sharing our best practices and tools, we can help organizations implement a version of the SDL that makes sense for them – regardless of what platform they use.

This insistence on effective security development processes can be found in the recent release of the BITS Software Assurance Framework. For those readers unfamiliar with BITS, it is the technology arm of the Financial Services Roundtable – an organization that includes members from major US financial services organizations. BITS is chartered with finding collaborative solutions to challenges in cybersecurity, fraud reduction and critical infrastructure protection for its member companies. Today, BITS will publicly announce that they have successfully incorporated many of the key elements contained within Microsoft’s SDL into the guidance they provide to their member institutions and their software vendors. Their recommendation of many of our security development practices is gratifying and a strong testament to how far we have come with software development security.

We’re also pleased to see a growing community of individuals and enterprises that are implementing secure development best practices; we feel there should be a venue where those ideas and methodologies can be shared.  In an effort to make that venue a reality and sustain the momentum behind secure development processes, we are pleased to announce the first annual Security Development Conference in Washington D.C., May 15th – 16th, 2012.

This event will bring together experts from a variety of industries to Washington, D.C. for a two day conference that centers on the theme “Evolving from Principles to Practices” and will serve as a focal point for education and collaboration for security development professionals.  By holding this conference we intend to emphasize the importance of more secure code as the critical first step to protecting against criminal activity. The conference will provide in-depth sessions, panel discussions, and professional networking opportunities that will help organizations develop and accelerate their own security development lifecycle processes.

For more information and registration details, I’d strongly encourage a visit to the conference website at www.securitydevelopmentconference.com

About the Author
Steve Lipner

Partner Director of Software Security, Trustworthy Computing

Steven B. Lipner is Partner Director of Software Security in Trustworthy Computing Security at Microsoft. He is responsible for programs that provide improved product security for Microsoft customers. Lipner leads Microsoft’s Security Development Lifecycle (SDL) team and is responsible for Read more »