REDMOND, Wash., November 21, 2005 –Microsoft has reached a significant milestone in its ongoing, company-wide commitment to increasing software security. Earlier this month, the latest versions of three key products – Microsoft Visual Studio 2005, Microsoft SQL Server 2005, and Microsoft BizTalk Server 2006 beta 2 – were launched, becoming the first Microsoft products to have undergone the complete Security Development Lifecycle (SDL) process from inception to release.
Michael Howard, Senior Security Program Manager, Microsoft Security Technology Unit (Photo updated April 30, 2007)
Microsoft’s SDL process is a unique approach to software development that reflects the knowledge and best practices learned from focused security efforts over the last three years across all phases of the software development lifecycle. From initial design to final release, every Internet -facing or enterprise-class product offered by Microsoft will go through its comprehensive SDL process. In addition, Microsoft also announced key code analysis and debugging tools developed as part of the SDL process – PREfast and FXCop, among others – are now available to commercial software developers via Visual Studio 2005. Once exclusive to Microsoft, these tools empower independent software developers as they work to reduce software vulnerabilities in applications, write higher quality code, and meet the growing demand for more secure software.
Because the SDL is a foundational element in Microsoft’s overall security efforts, PressPass interviewed Michael Howard, senior security program manager with Microsoft’s Security Technology Unit, to get his perspective on the specifics of these new products and on the overall progress to date of the SDL effort.
PressPass: What is the significance of these SDL milestones?
Michael Howard: These are important milestones as we focus on improving software security consistent with diverse customer needs. The SDL reflects how we’ve internalized the need to build security in to our products. The development process of Microsoft Visual Studio 2005, Microsoft SQL Server 2005 and Microsoft BizTalk Server 2006 beta 2 shows the real impact the SDL is having on our products. An important part of the SDL is use of security-related tools, and with the release of some of these code analysis tools in Visual Studio 2005, we’re giving ISVs [independent software vendors] and corporate developers the ability to build more secure and reliable products on top of our software. That’s a vital step.
PressPass: What has been the goal of the SDL?
Howard: Securing our customers is a top priority, and the SDL is a consistent and pervasive process that helps Microsoft to deliver on this objective. The goal of the SDL is two-fold. First, reduce the number of vulnerabilities in software. The second, and just as important, goal is to reduce the severity of the vulnerabilities that may be found after a product ships. No software program today is completely free of security vulnerabilities. Everyone in the industry must improve. No one is immune, as we can see by the types of attacks that occur across the industry and across multiple products from many vendors. There will always be people who are up to no good and who use the Internet as a medium for committing crimes. The SDL is Microsoft’s way of addressing customer security needs, and we firmly believe it’s the only truly comprehensive approach, from any software vendor, to building in security at a foundational level. I look at the number of security updates for a given product as an indicator of the level of customer involvement needed to keep a product secure. By significantly reducing the number of vulnerabilities and therefore the number of security updates, we can make everyone’s lives a little easier.
PressPass: How would you assess the impact of the SDL to date?
Howard: According to customer feedback, reduction in vulnerabilities and internal analysis, we are pleased with the impact the SDL has had so far, but we are still striving to do more. Windows Server 2003 was the first operating system released at Microsoft that implemented large portions of the SDL. Compared to Windows 2000, it had 63 percent fewer critical or important vulnerabilities in the first year after its release. When we started on this journey three years ago – we knew that we wanted to achieve greater security for our customers. Now, the SDL is firmly ensconced inside Microsoft. We are building security in from the beginning of the software development process for every piece of software that Microsoft develops that connects to the Internet. We continually analyze code around security, privacy and reliability issues, and our analysis is showing that new code using the SDL has substantially reduced vulnerabilities. While we’ve made a lot of progress through SDL, we do recognize that there is still a lot of work to be done. No software will ever be 100-percent secure; that’s why we continue to update the SDL process with new techniques and learnings to help stay ahead of contemporary threats.
PressPass: What are the key elements of the SDL?
Howard: It’s a multi-faceted approach. The first and most important element is a company-wide executive commitment from top management to the process. Security is a subset of quality. It’s not a negotiable item for us at Microsoft. If you have that total commitment, then you can proceed to the actual components of the SDL, which include training, innovative tools, and a process for designing security in from the beginning. Let me give you three examples of these processes: education, what we call Threat Modeling and Secure Windows Initiative (SWI) Buddies. Security education is critical and we require all engineers attend on-going, yearly security training. The concept of Threat Modeling is simple – unless you understand threats, you can’t design software that is secure from attack. So at Microsoft, developers focus from the earliest design stages on understanding how the bad guys could possibly take advantage, and then use that knowledge to preemptively put defenses in the system. SWI Buddies function as a central consulting organization for all of the development teams at Microsoft. It’s a community within the company that functions as a sounding board and consultancy, and a place for very proactive and reciprocal feedback on security issues.
PressPass: What about the tools that are being made available to third-party developers via Visual Studio 2005?
Howard: It’s exciting news that we’re releasing those tools. Having more tools available gives developers greater options in creating more secure and reliable code, and they become an important part of the SDL process. These tools have worked well for Microsoft, and we’re glad to be sharing them with the broader developer community. Through the SDL, Visual Studio 2005 represents a more secure and reliable platform from which developers will be able to write code with fewer vulnerabilities and quality issues. Moreover, developers can make these security improvements in a cost-effective manner through use of the automated tools included in Visual Studio 2005. That goes a long way toward building more trust in the computing ecosystem for many different types of customers, from developers to end users.
PressPass: Can you tell us a bit more about these automated tools?
Howard:When we think about improving overall software quality, we want to make sure products are secure against a whole constellation of threats and can meet a certain level of reliability, so they deliver the results customers expect and deserve. Both PREfast and FXCop are automated tools that scan code, looking for common problematic coding constructs that impede security and reliability. As “static analysis” tools, they run by scanning the code itself rather than by running the program and watching its execution. Customers will benefit in many ways from these tools. As an example, defects found by PREfast will be cheaper to fix in terms of development costs. PREfast will also help prevent defects and dangerous code patterns from slipping into new code. That is incredibly valuable for developers who have overall quality, security and reliability in mind when building their products. In addition to PREfast and FxCop, Visual Studio 2005 provides several other tools and features to help developers create secure solutions, such as Application Verifier, SafeCRT libraries, the /GS switch, and Debug-in-Zone.
PressPass: How can developers benefit from the SDL to build more secure applications?
Howard: Releasing these tools is a good start, but it’s only a first step. Tools are just that – tools. They don’t make products secure by themselves. The real key is to get developers across the board to think about security at every step of the way in the development process. That’s what the SDL really represents – a holistic way of delivering more secure products – and that kind of approach is essential to across-the-board industry improvements in security and reliability. I have co-authored a white paper that outlines this new way of thinking about software development: http://msdn.microsoft.com/security/sdl. I also wrote a short, but more technical version for MSDN Magazine: http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/default.aspx.
PressPass: That sounds like a massive education effort.
Howard: Absolutely. That’s why we know there’s still a lot of work to be done. One thing we have focused on is the next-generation of software developers, those who are ready to graduate from universities and join the industry as developers. It’s critical that they have a deep knowledge of security issues as they enter the industry. Through Microsoft Research, we are providing a program called Trustworthy Education that is targeted to those next-generation developers. And that’s in addition to the work we do through Microsoft Developer Network (MSDN) and other educational outreach efforts to help developers think holistically about security. Education is only part of our three-pronged holistic approach to building trustworthy software: developing innovative technologies, providing industry leadership with the help of key partners, and delivering customer guidance and education.
PressPass: All of this sounds like a fairly direct approach to building more secure software.
Howard: It’s not as simple as it sounds. If you build software that touches the Internet, there’s a chance it will be attacked. Something like the SDL is so deeply fundamental to software development that it takes a lot of effort to do well. But it does work if you persevere. As I mentioned earlier, even products which only partially had the benefit of the SDL, like Windows Server 2003, have seen a significant reduction in vulnerabilities. We are now seeing, as we discussed today, the first wave of Microsoft products that were built using the SDL from the very beginning; and we’re releasing key tools from the SDL environment that third-party developers can use. That’s a great step forward and we hope that this encourages the entire industry to think more comprehensively about security in their products.