And the Security Development Lifecycle victory

Feb 19, 2009 13:14 GMT  ·  By

Michael Howard, principal security program manager, said in the past that security was an ongoing battle in which software developers, Microsoft included, had the responsibility to continually raise the standard in order to keep one step ahead of the bad guys. Via the recently launched Baking Security In website, the Redmond company offers a unique perspective over its own developers fighting literally in the trenches, in order to ensure that end users are protected. In this context, 2001 and 2002 were nothing short of a turning point for Microsoft, as the company was hit hard, and left bleeding, but with contributions from people like Steve Lipner, Sr. director of Security Engineering Strategy, and Michael Howard managed to “change its ways” and ended up putting together the Microsoft Security Development Lifecycle (SDL).

“Even though 2001 and 2002 are a distant memory for many people, those years are still fresh in my mind; not because of CodeRed or Nimda, even though I had worked in the IIS team, but because of the important security work we started within the company,” Howard recalled. In 2001 Howard and fellow Microsoft security guru David LeBlanc authored the “Writing Secure Code” book, which was synonymous with the software giant starting to step up its security game.

Eight years later, Microsoft has not only shipped a variety of products developed with SDL, including Windows Vista and Windows Server 2008, managing to drastically reduce the number of vulnerabilities by as much as 50% compared to their precursors, but also opened the Security Development Lifecycle to third-party developers. At this point in time there are no less than three SDL offerings: the Microsoft SDL Pro Network, the Microsoft SDL Optimization Model, and the Microsoft SDL Threat Modeling Tool. On the Baking Security In, on top of the “The Amazing Adventures of Kevlarr and the SDL” comic strips, you will also be able to watch two War Story videos featuring Lipner and Howard.

“When we started our little group to focus on “security as in threats, not security as in features” we had no name until Dave Thompson, then VP responsible for security (as in features) in Windows named us the Secure Windows Initiative, a name that has stuck until this year. Many of the original folks are still around; we’re still as active and energetic as we were in 2001 and 2002, just a little grayer and substantially wiser! Our small team, which is now an order of magnitude larger, changed the face of Microsoft security by changing the end-to-end development process, which believe me, is no easy task at a company the size of Microsoft,” Howard added.