14 DAY TRIAL // The fact of the matter is that security and perfection are not complementary concepts. Not even for Microsoft, or for the company's Windows operating system. And certainly perfect Windows Vista security is but a pipe dream, although Microsoft is applauding its latest operating system as the most secure Windows platform to date. But because perfect security is not achievable, it doesn't mean that Microsoft does not apply itself. In this context, an illustrative example is the work the company has done with the Secure Development Lifecycle.
Steve Lipner, Senior Director of Security Engineering Strategy in Trustworthy Computing, and the former director of the Microsoft Security Response Center, faced a tough crowd during the panel on the ethics of security vulnerability disclosure at Black Hat in Las Vegas. Lipner revealed that the discussion shifted from ethical disclosure of vulnerabilities by independent researchers, to the security model in general. Namely, Lipner had to answer to the practice of software companies, Microsoft included, to ship products with known classes of security vulnerabilities.
"At Microsoft, we hear these kinds of ethical questions more often than you would think. All of them tend to come down to two common themes: How much should a vendor do and how long should a vendor wait to make a release "secure enough?" Our answer is that we do as much as we can to make our products secure, but we're always mindful of the need to ship customers a product that will not only improve security but be timely enough so that they'll actually use it. It is not much more ethical to work forever on a secure product that you never ship and users never use than it is to ignore security altogether," Lipner responded.
The bottom line is that security is never a final product feature, but a continuous evolution of standards. It is a healthy management technique to consider security as well as the shipping date just as product features, and to create a product designed to meet certain quality standards, that recommend it for shipping. Aiming for perfect security is equivalent to a perpetual development status, and the product will never ship. Instead, the focus has to be on raising the bar, again and again. Nothing but the scope of the SDL: "Secure by Design, Secure by Default, Secure in Deployment and Communication."
"While we do the very best we can, we know that perfection is not achievable. What we do is add steps to a commercially viable development lifecycle that can be accomplished by real developers on a schedule that allows them to ship competitive products. We learn from our mistakes and update the processes as we go, but we never forget that it's important to ship," Lipner added. "I think that given the choice between shipping perfectly secure software (whatever that means) that no customers will use and shipping software with continuously improved security that will actually help customers, the better ethical path is to ship."