Microsoft releases internal security tools, methods
Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software.
Microsoft began to take security seriously around 2001. Coding problems in its software opened the door to an intense new wave of malicious worms, or self-propagating programs that crashed e-mail servers, created botnets and stole user passwords, causing costly damage to businesses.
In response, Bill Gates launched the Trustworthy Computing Initiative in early 2002. Two years later the company had refined what it calls the Security Development Lifecycle (SDL), or its processes to ensure it writes near-bulletproof code.
Use of the SDL has reduced the number of security vulnerabilities in its Windows Vista operating system and SQL Server, one of its database programs, compared to older versions of the software, said Steve Lipner, senior director of security engineering strategy for Microsoft's Trustworthy Computing Group.
Extending the SDL to ISV (independent software vendors) and other developers for enterprises, such as banks, strengthens confidence in Microsoft and software designed for Windows, Lipner said.
"If somebody is using a third-party application on the Microsoft platform, they are still a Microsoft customer," Lipner said. "We want their computing experience to be safe and secure."
Two of the tools are free. The SDL Optimization Model is a questionnaire and checklist that evaluates an organization's security development practices. It looks at how a company responds to new security alerts and patches, and issues such as training and threat modeling.
Microsoft will offer the SDL Optimization Model for download on its SDL Web page in November.
"We think that's going to be a great resource for people who want to get into the SDL and need to figure out how they get started," Lipner said.
The other freebie is an application called the SDL Threat Modeling Tool 3.0, which will help software architects who aren't versed in security to spot potential security issues in software they are designing.
"If you're a developer, telling you things like 'Think like an attacker' isn't helping," said Adam Shostack, senior program manager for the Security Development Lifecycle Team.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Microsoft
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
