IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

Producing more secure applications

Jun. 16, 2007

Add to del.icio.us     Digg this

On June 8, at Microsoft’s Security Day event held in Bellevue, Wash., security executives said the SDL (Microsoft’s Security Development Lifecycle) has been made publicly available for developers to use in their own applications as a means to produce more secure and bug-free software.

"There are now at least six large organizations that we are aware of that have adopted SDL and integrated it into their own development process," said Michael Howard, senior security program manager at Microsoft’s senior engineering team.

Howard underlined that the SDL is not expected to completely eliminate software vulnerabilities, but the goal of SDL is to ultimately reduce vulnerabilities as much as possible. It’s also aimed at decreasing the severity of a vulnerability that may exist in particular lines of code.

Howard added "SDL is not a panacea! It will not eliminate all security problems and vulnerabilities, and even if we eliminate all vulnerabilities known to mankind today, there’ll still be a new one tomorrow."

More information on Microsoft’s SDL and how organizations may integrate it into their own environment is offered in a book titled, The Security Development Lifecycle, co-authored by Howard with Steve Lipner, senior director of security engineering strategy at Microsoft.

Overall, the book discusses methods for using streamlined risk analysis process to find security design issues before code is committed. It also offers instruction on applying secure coding and testing best practices, conducting final security reviews prior to shipping the product.

It also covers integrating security discipline into agile methods and processes, such as Extreme Programming and Scrum.

According to Stephen Toulouse, senior program manager for Microsoft’s trustworthy computing group, "while specific tools available with Visual Studio are prescribed for adopting SDL, the process is language-agnostic and can be integrated into an existing development process."

Under Microsoft's SDL process, creating new applications would require developers to sit down and brainstorm on how a particular product could be misused, even before they’ve started writing the software, Toulouse explained.

Overall, code testing is automated and the entire process is documented so everybody can learn from past mistakes and improve on them, he added.

Microsoft’s latest version of its operating system Windows Vista had gone through the SDL process. Compared to its predecessor, Windows XP, Vista has seen a 65 per cent reduction in the number of vulnerabilities, Howard said.

Although Microsoft’s SDL does not seem to offer anything that most IT security experts don’t already know, it is a useful tool for software developers, particularly those who have not really been trained to write secure code, said Francis Ho, spokesperson for Toronto-based Federation of Security Professionals.

Ho added "typically, with most programmers they are guided by "I’ve got to deliver this by this day," and security usually is an inhibitor to what they want to do." The notion of writing secure applications has been around for decades but has failed to gain much traction, he said.

Ho also said "what Microsoft did was put it in a nice book and maybe this would be a good start for instituting secure coding."

Microsoft’s popularity among developers in Canada and North America can be instrumental to the success of its SDL, said Michelle Warren, research analyst at Info-Tech Research in London, Ont.

"SDL enables developers to address their projects with security in the forefront of their mind, so that the end-product will not require as much work to go back and edit, change or tweak because all of the security will already be built in," Warren noted.

Ho noted that for the SDL to succeed in an enterprise development environment it needs the support of management, similar to Bill Gates’ commitment when Microsoft embarked on the SDL. "Most senior executives view security as an IT problem and until that changes, they’re going to have a long hill to climb I would say."

However, as enterprise customers increasingly become more conscious about the security of the software products they purchase, vendors will have to start focusing more on secure coding, Ho added.

"There’s no absolute security and all you can do is better than what you did before. Overall, I think SDL is a very good thing. Do I think the software industry is going there, I think in spurts they are," he said.

Add to del.icio.us     Digg this

Source: IT World Canada