Many of us no doubt remember Chairman Bills now infamous 2002 memo to all Microsoft employees in which he put product security as the top priority for the company. Indeed, he went so far as to tell them that security concerns would trump new features in software products. Thats a significant and bold statement for any software development company and it is to be applauded. Great stuff, Bill!
But here it is 2007 and what has really changed? We saw some significant security advances in the XP family, most notably in service pack 2 (SP2). Numerous SP2 security enhancements were at last opt-out and not opt-in, meaning that, for the first time, security features such as the Windows firewall were enabled by default. Again, this is great stuff and should be loudly applauded. I should note that the Windows firewall was available prior to SP2, but many/most users were blissfully unaware of it because it wasnt enabled by default. (Boo hiss! Bad Microsoft!)
Mac vs. Linux: Which is More Secure?
But XP was released in late 2001, early 2002, so it couldnt have possibly benefited in any meaningful way from Mr. Gatess new security policy statement. An operating system takes years to develop, and no doubt the vast majority of the development that went into XP took place long before the developers had even the faintest hint of his intentions.
And then along comes Vista, some five or so years later. By all accounts, the code under Vistas hood was largely a thorough re-write of prior XP and Win-2000 code. And whats more, its the first full operating system that Microsoft developed from the ground up using its new Security Development Lifecycle (SDL).
Several papers and even books have been published detailing the different aspects of the SDL process. In mid-2006, Michael Howard and Steven Lipner published an excellent book on the SDL it should be read by anyone who develops software.
But, outside of a relatively small (but growing) cadre of software security practitioners, not a lot of folks even know the SDL exists. And yet, in a very real way, the SDL is at least as much on the line here as Vista itself.
And with the first Vista-affecting zero-day attack surfacing just last week, I really hope this isnt a harbinger of things to come. At least judging by the early accounts of this new security defect, it seems as though theres every reason to expect it should have been caught through the extensive fuzz testing thats an integral part of the SDLs security testing regimen. There are even early indicators that this flawor at least a substantially similar onewas reported to Microsoft in XP a couple years back.
Why is this security defect such a big deal, you may be asking. We see defects reported in XP on a nearly daily or at least weekly basis, after all. Ill tell you. My fear is that the SDL itself could be sacrificed if its believed to have failed, which would be a tremendous setback for all (secure) software development.
Mac vs. Linux: Which is More Secure?
Is the Mac Really More Secure than Windows?
IT In 2007: Budget and Trends
The Emerging Dell-Linux-Apple War|
You see, its not that the SDL is necessarily the best way of developing secure software. How many other software developers have to deal with the sorts of issues as Microsoft does? Seriously, how many people can claim that their general-purpose software will be used by hundreds of millions of people for everything from emailing the latest jokes to running mission-critical software at the largest enterprises? Not so simple to make security decisions that appease such a vast spectrum of users, is it?
Without a doubt many software development organizations even large ones will find Microsofts SDL as not quite meeting their needs. Heck, its not even the only game in town. There are several other lighter-weight security development processes readily available. The Open Web Application Security Project (OWASP) has its CLASP process, for example. Cigital has its touchpoint model. (Both of these can be freely downloaded, via here and here, respectively.) The list goes on.
But none of that is important. The fact is that the SDL is what Microsoft uses, and its future, along with the future of software security trends at Microsoft, is very much on the hook right now. Because of the sheer vastness of their market share, we all stand to lose out of the SDL fails. It is said that a rising tide raises all the ships in a harbor; well, then it stands to reason that a retreating tide lowers all the ships in a harbor just as equally.
For that reason, count me in as a supporter of the SDL. Long live the SDL.