I’ve been spending the past two weeks focusing on pulling together our security efforts for Whidbey. See Soma's blog on security in our division.
We have scheduled a multi week period before our Beta2 when the whole division will be focusing on security, doing things like targeted code reviews, design threat modeling and testing our code for possible attacks.
The good thing is that we’ve been ‘doing security’ throughout the product cycle: teams had to complete their threat modeling for features implemented in a milestone at the end of that milestone. Threat modeling really helps identify potential vulnerabilities in our design, even before we write the code. We’ve also been running cleanup tools like FxCop and PreFast (a static analysis tool that identifies in c/c++ code) and fixing the issues found on a regular basis.
In preparation for the focused effort later this year, we’ve asked everyone in the division to take the security training given by Michael Howard.
In getting this organized, communication is key. People need to know what they are being asked to do, and have all the information they need in order to accomplish their tasks. One way we do this is sending weekly update mails to a group that consists of team representatives that drive their teams to accomplish our security goals. Just finished sending one of those… It takes a lof of legwork to get all the information together.
Off to my weekend now.