Print

Microsoft focuses on security development life cycle



David Worthington
Email
September 25, 2008 —  (Page 1 of 3)
From ILOVEYOU to Code Red, Microsoft faced an onslaught of security exploits at the onset of the decade. Taking those events as a wakeup call, it changed its approach to security, adopting a security development life cycle (SDL) and creating an internal threat modeler.

Now, Microsoft is launching programs to take its SDL experience to its customers, and will offer tooling to help organizations review the design and implementation of their software in order to determine requirements for security features.

Threat modeling processes have been in use at Microsoft since 1999, and the threat modeling tool is a core element of the SDL, said Adam Shostack, senior product manager for the program. Microsoft’s objective is to transform threat modeling from an expert-led process into one that any software architect can perform effectively, he said.

“We looked to develop a process built around things typical software engineers understand—they will know how their software is actually built,” Shostack said. The tool contains a bug reporting feature so developers can treat security vulnerabilities the same way that they already deal with defects and features, he said.

“It pushes people to use the threat model as a driver for the entire security development process,” added Shostack.

It is not rigid, however. Users can choose not to model certain threats that they feel are not a tampering concern, Shostack said, by selecting those elements and choosing an explanation for why they are omitting them. The tool also provides an advisory area that informs users when the modeling process is finished. “People weren’t often sure when the process was done,” he said.

“Microsoft’s approach and new threat modeling tool make it easy for application developers to identify potential security issues without having to be security experts,” said senior Forrester analyst Mike Gualtieri. “I like how the tool generates not only a list of potential security issues, but also explanations.”

“There is no good commercial tool that does this,” observed Neil MacDonald, a Gartner fellow and vice president. “Microsoft created a wizard-type tool for threat modeling. Even if you don’t like Microsoft, the tool is useful.”



Related Search Term(s): security, software development, Microsoft

Pages 1 2 3 


Share this link: http://sdt.bz/32894
 


Comments


03/16/2009 07:05:00 AM EST

I started programming on English Electric Leo's and ICL 1900's, then moved to IBM MFT/MVT and MVS and Z/OS. There has never been a security problem with any of those operating systems. How come Microsoft allowed all the problems they had to happen? And IBM didn't? Namaste Clem

AustraliaClement Clarke


03/16/2009 03:23:33 PM EST

Clement - You are not seriously asking this question, are you? The words: "Attack surface", "complexity", etc... all come to mind. -Mark

United Statesmark feferman


03/26/2010 11:02:30 AM EST

“The responsibility for producing secure applications ultimately belongs in development,” - absolutely agree with this comment. http://www.vandgard.co.uk/

United StatesKate


06/15/2010 03:31:57 AM EST

as far as i know from the article found by http://www.torrentbasket.com SE, Microsoft's not the first company to think about incorporating security scrutiny somewhere in the development process, but there's no industry-wide standard for doing so; even the IEEE's SESC Framework hasn't provided any significant mention of security concerns. Microsoft's idea is to integrate security concerns into every step of the development process, and Microsoft counts six of them: setting project requirements, design, implementation, verification, release, and response (support and service). "Privacy is a full partner to security as far as the SDL is concerned," says Ladd, which ought to get the attention of any number of companies balefully eyeing new regulations.

United StatesHitcliff


08/12/2010 02:01:35 PM EST

I feel that the point of open source has been missed here. I do not think that open source is to generate programs that are more secure and have less bugs, but make applications more innovative and simpler to create without a long drawn out development schedule such as lots of Microsoft products have. I only see new office products every 3 years or so and usually, not always, the changes are not that significant. I do however think that the bug trackers that most open source projects use do generate better applications here is demo http://watchanimeonline.us/. When the users find the bugs and post them to the bug trackers, and the bugs are confirmed, then the bugs get tracked until the program no longer has it. Will there be bugs? Always, there is not getting around that. But at the top where you pointed out the dearth of accountability, bug trackers tend to remove that and help progress along. Attacking open source security does about as much nice as attacking closed source security. Neither is kind of secure than the other.

United Statesalex


09/14/2010 04:27:05 AM EST

Microsoft's not the first company to think about incorporating security scrutiny somewhere in the development process, but there's no industry-wide standard for doing so; even the IEEE's SESC Framework hasn't provided any significant mention of security concerns. Microsoft's idea is to integrate security concerns into every step of the development process, and Microsoft( http://www.btscene.com/search/term/microsoft/cat/0/ ) counts six of them: setting project requirements, design, implementation, verification, release, and response (support and service). "Privacy is a full partner to security as far as the SDL is concerned," says Ladd, which ought to get the attention of any number of companies balefully eyeing new regulations.

United StatesAllan


08/30/2011 10:33:12 AM EST

“It pushes people to use the threat model as a driver for the entire security development process,” Absolutely true. , http://www.kirklands-coupons.org

United StatesIvan


close
NEXT ARTICLE
Microsoft's plans for post-Windows OS revealed
A componentized non-Windows operating system is in the works at Microsoft, one that could eventually phase out Windows. The OS features asynchronous-only architecture built for task concurrency Read More...
 
 
 




News on Monday  more>>
Android Developer News  more>>
SharePoint Tech Report  more>>
Big Data TechReport  more>>

   
 
 

 


Download Current Issue
APRIL 2014 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?