Microsoft Releases Internal Security Tools, Methods

By Jeremy Kirk

Tue, September 16, 2008 — IDG News Service —

Microsoft will soon release tools and methods it has used over the last few years to reduce the number of security problems in its software.

Microsoft began to take security seriously around 2001. Coding problems in its software opened the door to an intense new wave of malicious worms, or self-propagating programs that crashed e-mail servers, created botnets and stole user passwords, causing costly damage to businesses.

In response, Bill Gates launched the Trustworthy Computing Initiative in early 2002. Two years later the company had refined what it calls the Security Development Lifecycle (SDL), or its processes to ensure it writes near-bulletproof code.

Use of the SDL has reduced the number of security vulnerabilities in its Windows Vista operating system and SQL Server, one of its database programs, compared to older versions of the software, said Steve Lipner, senior director of security engineering strategy for Microsoft's Trustworthy Computing Group.

Extending the SDL to ISV (independent software vendors) and other developers for enterprises, such as banks, strengthens confidence in Microsoft and software designed for Windows, Lipner said.

"If somebody is using a third-party application on the Microsoft platform, they are still a Microsoft customer," Lipner said. "We want their computing experience to be safe and secure."

Two of the tools are free. The SDL Optimization Model is a questionnaire and checklist that evaluates an organization's security development practices. It looks at how a company responds to new security alerts and patches, and issues such as training and threat modeling.

Microsoft will offer the SDL Optimization Model for download on its SDL Web page in November.

"We think that's going to be a great resource for people who want to get into the SDL and need to figure out how they get started," Lipner said.

The other freebie is an application called the SDL Threat Modeling Tool 3.0, which will help software architects who aren't versed in security to spot potential security issues in software they are designing.

"If you're a developer, telling you things like 'Think like an attacker' isn't helping," said Adam Shostack, senior program manager for the Security Development Lifecycle Team.

The application lets software architects diagram aspects such as data flows. Microsoft has encoded into the program rules that security engineers would follow when working with software. Users of Threat Modeling Tool get instant feedback, Shostack said. Microsoft will put the tool on its Microsoft Developer Network download center in November.

The last component is the formation of a group of companies that can advise other companies on the SDL. The SDL Pro Network is a group of nine security service providers, consultancies and training companies.


Loading...
Applications MarketSpace
Service Level Reporting and Communication
Service level reporting is the most visible output and often the most time-consuming activity in SLM. Learn more »
Lower IT Costs with Oracle Database 11g Release 2
Learn how upgrading to Oracle Database 11g Release 2 can transform your business, budgets, and service levels Learn more »
Managing Your SAP System
Learn how to more effectively manage your SAP system. Learn more »
 
SPONSORED LINKS
 

White Paper: 4 Customer Service Myths

White Paper: Improve Agility with Operational Responsiveness

Removing the Barriers to IT Governance: How On-Demand Software Changes the Game

Cloud Computing--Latest Buzzword or a Glimpse of the Future?

A Balanced Approach to an Application Development Platform

Adobe® LiveCycle®solutions for intuitive user experience

10 Ways Excel Drives More Value from Your SAP Investment

What's New in SOA Suite 11g?

Unleash the Power of Java with Oracle JRockit Real Time

SOA Best Practices and Design Patterns

Application Grid: Ideal Platform for IT Consolidation

Ready to virtualize tier one applications? Check your virtualization maturity.

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

See how AT&T can help protect your network.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

White Paper: Managed Security for a Not-So-Secure World

SharePoint - Unchecked growth of content is unsustainable.

Focus Under Pressure: Why IT Governance Becomes Mission-Critical in a Down Economy

Should Your Email Live In The Cloud? A Comparative Cost Analysis

Adobe® LiveCycle® solutions for business process automation

Architecting Business Intelligence Applications for Change: The Open Solution

Increase UPS efficiency without sacrificing protection.

Unlocking the Mainframe: Modernizing Legacy System to SOA

State of the Data Integration Market

Enhance Customer Loyalty through Higher Responsiveness

Achieving Business Agility with Application Grid

Seven Ways ITIL Can Help You in an Economic Downturn

Four steps to populate your CMDB.

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

Interactive Q&A helps you discover key ways to maximize IT assets.

 
 
RESOURCE CENTER