Windows Vista is the first operating system from Microsoft to be the complete product of a development process designed to implement an immutable set of quality standards into every product from the Redmond Company. The set of standards involving "secure design, coding, testing, review, and response for all Microsoft products" is none other than Security Development Lifecycle.
SDL "makes security a top priority throughout the development cycle by mandating a repeatable
engineering process that every developer must follow, and then verifying that process before product release," revealed Microsoft in the Security Enhancements in Microsoft Windows Vista article. SDL was born in 2003, at the hand of the Secure Windows Initiative (SWI), a team designed to build, evangelise and help deploy the process.
In excess of 1,400 threat models were created for the testing of what would become Windows Vista. According to the Redmond Company the threat models were used in order to determine risks, mitigations, faulty code and aspects of the operating system that would prevalently attract exploit and attacks. For example, all the vulnerabilities that had previously affected Windows XP, were checked in Vista, in order to ensure that the history will not be repeated.
"The Windows Vista code base was also scrubbed for issues that commonly lead to security vulnerabilities. All instances of cryptographic algorithms, for example, were reviewed to assess weaknesses in algorithm choice or key strength. More than 100 programming APIs that had been maliciously exploited in the past were systematically removed from the code base and replaced with more secure versions. In addition, non-Microsoft components in Windows Vista were reviewed against the SDL," Microsoft added in the article.
Additionally, the Redmond Company is delivering guidance on the SDL process for all ISVs that are involved in developing applications designed to integrate with Windows Vista.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
