Microsoft looks to spread secure software expertise
Slates free developer tools for November, hopes other vendors write more secure code
Computerworld - Microsoft Corp. said today it will export some of its expertise in writing secure code to developers outside the company with several new initiatives, including ones involving a pair of free tools it plans to unveil in November.
The company has distilled some of the experience gained during the past five years through its Security Development Lifecycle (SDL) process and philosophy into the Threat Modeling Tool 3.0 and the Optimization Model. It will make both available for free download in two months.
"We're put a lot of emphasis on tool developments to build more secure software," said Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing group and the co-author of The Security Development Lifecycle. "But as we've moved SDL more and more into the culture of our company, we've been watching what's happening on the outside."
And Microsoft isn't liking what it sees.
Microsoft, claimed Lipner, has nearly halved its share of the total disclosed vulnerabilities between the first six months of 2007 and the same period this year; Microsoft was responsible for 4.2% of all disclosed vulnerabilities in the first six months of 2007, and for 2.5% of those made public in the first six months of 2008. Credit, he said, goes to SDL and Microsoft's increased emphasis on writing more secure code.
It wants to share that knowledge, he added, and for a selfish reason. "We want to move toward a more secure Internet, and it's important that there is secure development not only for our software, but also for other software that our customers use," Lipner said, explaining why Microsoft is proselytizing SDL to outside developers.
Of the two free downloads slated for November, the SDL Threat Modeling Tool 3.0 has the longest lineage. According to Lipner, the tool has been in existence since 1998 or 1999, and it has gone through eight iterations within Microsoft, where it's been used by internal developers.
The 3.0 version has been in development for more than a year, said Adam Shostack a senior program manager on the SDL team; it's designed for developers who may not have a clue about the nuts and bolts of security.
"Threat models focused around attacks, or how attackers think, don't work for the typical software engineer," said Shostack. "They need to start from something that they're already familiar with."
With that in mind, Microsoft crafted the Threat Modeling Tool to focus on the software design process; it then built guidance and advice into the tool.
"It acts as an implicit trainer," said Shostack. "It will show them the [security] implication of their design, and give them a chance to learn about security in a way that's broader than just vulnerabilities."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts