Microsoft shares internal security software and methods

Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software.

Microsoft began to take security seriously around 2001. Coding problems in its software opened the door to an intense new wave of malicious worms, or self-propagating programs that crashed e-mail servers, created botnets and stole user passwords, causing costly damage to businesses.

In response, Bill Gates launched the Trustworthy Computing Initiative in early 2002. Two years later the company had refined what it calls the Security Development Lifecycle (SDL), or its processes to ensure it writes near-bulletproof code.

Use of the SDL has reduced the number of security vulnerabilities in its Windows Vista operating system and SQL Server, one of its database programs, compared to older versions of the software, said Steve Lipner, senior director of security engineering strategy for Microsoft’s Trustworthy Computing Group.

Extending the SDL to ISV (independent software vendors) and other developers for enterprises, such as banks, strengthens confidence in Microsoft and software designed for Windows, Lipner said.

“If somebody is using a third-party application on the Microsoft platform, they are still a Microsoft customer,” Lipner said. “We want their computing experience to be safe and secure.”

Two of the tools are free. The SDL Optimization Model is a questionnaire and checklist that evaluates an organization’s security development practices. It looks at how a company responds to new security alerts and patches, and issues such as training and threat modeling.

Microsoft will offer the SDL Optimization Model for download on its SDL Web page in November.

“We think that’s going to be a great resource for people who want to get into the SDL and need to figure out how they get started,” Lipner said.

The other freebie is an application called the SDL Threat Modeling Tool 3.0, which will help software architects who aren’t versed in security to spot potential security issues in software they are designing.

“If you’re a developer, telling you things like ‘Think like an attacker’ isn’t helping,” said Adam Shostack, senior program manager for the Security Development Lifecycle Team.

The application lets software architects diagram aspects such as data flows. Microsoft has encoded into the program rules that security engineers would follow when working with software. Users of Threat Modeling Tool get instant feedback, Shostack said. Microsoft will put the tool on its Microsoft Developer Network download center in November.

The last component is the formation of a group of companies that can advise other companies on the SDL. The SDL Pro Network is a group of nine security service providers, consultancies and training companies.

The network can advise ISVs and enterprises on ways to test their own internally developed software for coding problems. The SDL Pro Network will start a pilot phase in November, Lipner said. Those companies will get paid through either a classic consulting fee or bill by a subscription service, Lipner said.

“We believe they are going to prove to be a great resource for organizations outside of Microsoft that want to move forward with the SDL,” Lipner said.

Most third-party Windows software is not written using state-of-the-art security practices said Jan Muenther, CTO with SDL Pro Network member n.runs. “While Microsoft themselves have been putting a lot of effort into securing their own code, sometimes the code that they get from third parties does not match the same quality level,” he said.

Muenther believes that these new SDL programs could not only beef up the quality of Microsoft’s partners’ code, but it could also draw some attention to Microsoft’s own security practices too. “They want to spread the word a little bit,” he said.

Robert McMillan in San Francisco contributed to this story.