February 23, 2005, 9:37 AM — In the war against reducing vulnerabilities in software code Microsoft Corp. Senior Security Strategist Phil Reitinger admitted the company still had a long way to go, but vowed the war will be won in the development stage.
Speaking at the National Security Australia 2005 conference yesterday, Reitinger proclaimed it is of critical importance to the IT industry that developers are trained to write secure code.
Reitinger also advocated Microsoft's Security Development Lifecycle (SDL) model to make the process easier.
SDL is Microsoft's current software security quality assurance framework involving a series of a checks at each stage of development.
The internal process that involves a security team assigned to each unit in the development stage when writing code.
Reitinger noted current common criteria for development does not require software to be designed by a process that reduces vulnerabilities, to which Microsoft are responding through the SDL.
"The stats so far have been pretty good; for Exchange Server 2000 Service Pack 3, which is more than just a patch, its sort of like an uber set of software changes prior to [being developed] under the trustworthy computing strategy it had eight security bulletins - when the new service pack came out developed under the twc/sdl process it had two," Reitinger said of the new regime.
"Is this good enough, no, we need it to reduce. But it does show progress, that the process is working and we are reducing the number of vulnerabilities in code.
"The SDL process includes security milestones at every stage of the design process - as the software design starts a team of security people are assigned to the development team".
"This is now mandatory in Microsoft for products that pose a security risk; that is products that are used in the enterprise or products that are internet-based. IT may not be everything but due to the business, due to the critical infrastructure it's got to do this.
"One of the most critical issues that the IT industry as a whole needs to address is the rising count in vulnerabilities - those who run IT systems live this on a day to day basis."
The SDL has been used in Windows Server 2003, SQL Server 2000 SP3 and the upcoming release of Exchange Server 2003 SP2.
However, it was not utilized in the development of Windows SP2. At the RSA Security conference in San Francisco, February 15, Microsoft chief Software Architect Bill Gates stressed a recent Microsoft study showed 64 percent of developers are not confident in their ability to write secure applications.
That same week, Microsoft issued a dozen security bulletins for various vulnerabilities, more than half relating to SP2. Further vulnerabilities were found in Windows Media Player, MSN Messenger, Internet Explorer and the Office Suite.