Microsoft Security Development Lifecycle (SDL)
We all know that at one time in the past that Microsoft was considered the laughing stock of computer and software security. While it's debatable that Microsoft was really much worse than any other software vendor, the fact is that Microsoft's large installed base made it the focal point for hackers and malware. Exploits at the time were high viability events that got a lot of media coverage.
That's seems like a hundred years ago to most of us in the Microsoft security community. While security is always a work in progress, Microsoft has gone from what many thought of as the least secure software company in the world, to what many consider the most secure software company in the world.
It didn't happen overnight, and it wasn't magic or the "power of money". What enabled Microsoft to turn so quickly from unsecure to secure was Bill Gates' mandate that attention to secure software development would be job one and then the implementation of the Microsoft Security Development Lifecycle or SDL.
The SDL provides processes and procedures that programmers and application developers can use to insure that software is built with security in mind. Security isn't "bolted on" afterward. Instead, security considerations, threat modeling and fuzz testing is done throughout development so as to minimize the risk of "surprises".
The SDL is part of all software development at Microsoft now and the results of it's implementation are astounding. All you need to do is check the reductions in security issues with Windows Vista versus previous Windows client versions or Windows Server 2008 compared to previous Windows Server versions.
Microsoft has put together a new landing page for the SDL. You can find it at http://msdn.microsoft.com/en-us/security/cc448177.aspx and get more information about the SDL. Then, when you're considering purchasing software from Microsoft or another vendor, ask the other vendor for information on their SDL and details on how they implement it, like the information on the Microsoft SDL page.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)