Security Development Lifecycle (SDL) document is now live

Microsoft's Security Development Lifecycle

Dana Epp's ramblings at the Sanctuary — Sat, 19 Mar 2005 21:13:00 GMT

In the past decade it has been easy to slag Microsoft for their stance on security. It has appeared that the drive for profits have always trumped the safety and security of the code. When Microsoft decided to STOP development and retrain the ENTIRE development group about secure programming, many in the industry brushed it off as a PR stunt. But as I pointed out early last year, if we look at what Microsoft has been doing as of late, we can see that they have made significant changes to build a foundation for a more secure computing experience: They have created better error-reporting software. They have found that the top 20% of their errors make up 80% of the problems. Knowing this and capitalizing allows Microsoft to significantly prioritize and reduce bugs that matter the most.They have created better developer tools to help write more secure software, with release of tools like prefix, prefast, AppVerifier and FxCop. Their only problem right now with this is that they ARENT letting developers know about them!They halted product development for a period of time and retrained their developers to code more securelyThey audited as much product source code as humanly possible and now have a dedicated lead security person for each component of the Windows source code to watch over code quality as it relates to security. Previously they had a clean up crew come in after the fact and try to sanitize the master sources.Microsoft has begun to provide more secure defaults when shipping new product. As a clear example we have seen the launch of Windows Server 2003 with a lessened attack surface than previous versions of their server product.Microsoft now provides better tools such as the Microsoft Baseline Security Analyzer to analyze and audit patch management as it relates to security bugs in a proactive manner.After major security incidents (like MSBlaster and MyDoom) Microsoft has released tools to help respond and fix possible vulnerable and compromised machines. Although these are not timely enough (IMHO), its still good to see.Microsoft has provided a more definitive patch management cycle to address patch hell until their newer products get released that have a significantly lessened attack surface, and have better code quality.Microsoft provides better integrated firewalling with their Internet Connection Firewall (ICF), released with the latest service pack for XP. Ok this item isnt about secure coding... but more about "secure by default" mentality.Microsoft is being more open about the entire security process. And not just for PR purposes. More articles, documentation and transparent communication are now available through MSDN, Microsoft employee blogs, and Microsofts Security webcasts. The last bullet is what I want to talk about today. Michael Howard reports that you can now read about the security-related process improvements they have put in place at Microsoft. They have been working on defining this for about two years now, and as of today now have made this document public. It is an excellent document providing real insight on what is going on with Microsoft's own security development lifecycle. Well worth the investment in time to read and learn from. (Anyone who is arrogant enough to believe they know everything and cannot learn something from Microsoft's experience here really shouldn't be in this industry) So check out Microsoft's Security Development Lifecycle. Happy reading!...

More interesting finds this weekend

Jason Haley — Sun, 20 Mar 2005 15:37:00 GMT

More interesting finds this weekend

re: Security Development Lifecycle (SDL) document is now live

buddyprav — Mon, 21 Mar 2005 05:23:00 GMT

Hi,

provide SDLC documentation and CMM documentation.

thanx
buddyprav

Security Development Lifecycle at Microsoft

Sergey Simakov blog — Mon, 21 Mar 2005 14:10:00 GMT

Trustworthy Computing Security Development Lifecycle

Robert Hurlbut's .NET Blog — Mon, 21 Mar 2005 16:10:00 GMT

Microsoft's Security Development Lifecycle Process

David Boschmans' Weblog — Mon, 21 Mar 2005 17:37:00 GMT

Microsoft's Security Development Lifecycle Process

SDL Document is Live on the Security Developer Center

BufferOverrun — Mon, 21 Mar 2005 20:35:00 GMT

SDL Document is Live on the Security Developer Center

BufferOverrun — Mon, 21 Mar 2005 20:37:00 GMT

re: Security Development Lifecycle (SDL) document is now live

rcme — Tue, 22 Mar 2005 13:43:00 GMT

Lots of great info here Michael. I read Steve's original paper, so I look forward to reading this one for the updates.

Aside,
Is this available as a "document" (i.e. .doc or .pdf)? Sometimes it is easier to read on paper, and printing from a HTML doesn't always format properly. There seems to be some inconsistency on the Microsoft website regarding documents. For example, this SDL document is only available as HTML, while other docs, like the Security Risk Managament Guide is available as .pdf, and yet others are available as .doc.

Keep up the good work!!

re: Security Development Lifecycle (SDL) document is now live

Michael Howard — Tue, 22 Mar 2005 21:47:00 GMT

Yeah, we'll make a download avail - not sure if it's DOC or PDF. But watch this space :)

Microsoft Security Lifecycle

Emergent Chaos — Mon, 28 Mar 2005 02:25:00 GMT

Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don't see a lot of other vendors doing this. And now, if you need leverage to get buy in, you...