Microsoft releases internal security tools, methods
Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software.
Microsoft began to take security seriously around 2001. Coding problems in its software opened the door to an intense new wave of malicious worms, or self-propagating programs that crashed e-mail servers, created botnets and stole user passwords, causing costly damage to businesses.
In response, Bill Gates launched the Trustworthy Computing Initiative in early 2002. Two years later the company had refined what it calls the Security Development Lifecycle (SDL), or its processes to ensure it writes near-bulletproof code.
Use of the SDL has reduced the number of security vulnerabilities in its Windows Vista operating system and SQL Server, one of its database programs, compared to older versions of the software, said Steve Lipner, senior director of security engineering strategy for Microsoft's Trustworthy Computing Group.
Extending the SDL to ISV (independent software vendors) and other developers for enterprises, such as banks, strengthens confidence in Microsoft and software designed for Windows, Lipner said.
"If somebody is using a third-party application on the Microsoft platform, they are still a Microsoft customer," Lipner said. "We want their computing experience to be safe and secure."
Two of the tools are free. The SDL Optimization Model is a questionnaire and checklist that evaluates an organization's security development practices. It looks at how a company responds to new security alerts and patches, and issues such as training and threat modeling.
Microsoft will offer the SDL Optimization Model for download on its SDL Web page in November.
"We think that's going to be a great resource for people who want to get into the SDL and need to figure out how they get started," Lipner said.
The other freebie is an application called the SDL Threat Modeling Tool 3.0, which will help software architects who aren't versed in security to spot potential security issues in software they are designing.
"If you're a developer, telling you things like 'Think like an attacker' isn't helping," said Adam Shostack, senior program manager for the Security Development Lifecycle Team.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Microsoft
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
