Microsoft becomes high priest of secure software development

Historically, Microsoft was bashed for security holes in its software that led to worm outbreaks on desktops and servers around the globe and other problems. In 2002, the company saw the light and launched its Trustworthy Computing initiative, elevating security to the top priority, and began designing and building products with security in mind.

Six years later, the company's conversion seems to have worked with vulnerabilities dropping by about half from Windows XP to Windows Vista by 90 percent between SQL Server 2000 and SQL Server 2005.

But the environment has changed--Web applications have eclipsed desktop applications as people move more and more of their computing online. Now, 60 percent of new vulnerabilities are in Web apps, and only 14 percent of them are from the top five independent software vendors, like Microsoft and its ilk, according to research from IBM's X-Force.

Microsoft has gone from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, the research shows. The lion's share of the vulnerabilities come from start-ups racing to get their products to market. And 70 percent of them are doing the security testing and review after they release the product, Microsoft said.

So now Microsoft is trying to convert others to the cause, offering free tools that outside developers can use to assess their software development security practices and analyze their software designs to look for security weaknesses and threats.

"By helping other companies build more secure software, especially companies that develop on the Microsoft platform, we make the Internet more trustworthy," said Steve Lipner, senior director of Trustworthy Computing at Microsoft. "That's good for our business."

Microsoft will offer free downloads in November of its Security Development Lifecycle (SDL) Optimization Model and its SDL Threat Modeling Tool 3.0, the company announced Tuesday. Also, Microsoft formed the SDL Pro Network composed of nine security consultants to help developers implement the SDL.

The SDL Optimization Model serves as a sort of blueprint for changing processes and strategy related to building secure software. The SDL Threat Modeling Tool, which Microsoft has used internally for about a year, is designed to help analyze the security of software designs and to figure out how to mitigate threats in the development process.

The companies in the SDL Pro Network, which include IOActive, Cigital, and Verizon Business, will serve as contractors and set their own fees. The one-year pilot program begins in November.

Microsoft isn't getting into the security consulting market--it's just trying to help companies improve their software so computer users are protected and feel confident online, Lipner said.

"We're not claiming we're perfect," he said. "But we have a lot of experience in this domain."

Chris Wysopal, chief technology officer of security firm Veracode, praised the announcements but wondered if Microsoft's success can be duplicated at companies with very small developer teams.

"The SDL is working for them, but the question is, will it work for the majority of the companies writing software?" he said.

[rmva]

"Web applications have eclipsed desktop applications as people move more and more of their computing online"

Some examples please.

[Vegaman_Dan]

Google.
Adobe.
Facebook.
Myspace.
Twitter.
MobileMe.


The list goes on. As the world adopts more and more of the cloud model, this will only expand.

[joetesta70]

MobileMe? No one uses that POS!

[supoman]

Most of my company's in-house apps are web based. If it were not for the MS office suite nearly everything would be. But back to the topic.....Why would I want to use a M$ security platform? To guarantee my network gets hacked??? Forget about it!!!

[cb3431]

Yes, examples please. I have never had a desktop application for online banking. The products I use online have always been online.

All the same thank you Microsoft for taking a strong initiative towards improving security.

[benjaminstraight]

And I wonder what is wrapped up in the licensing agreement attached to the free tools.

[catbutt5]

When your OS is made of swiss cheese like windoze, you'd better become good at security.
"...vulnerabilities dropping by about half from Windows XP to Windows Vista..." Ummm, it aint over yet.
I just read an article over at the Register titled "Black hats target Windows Media Player vuln" dated today.
Just because they're only discovered 50% of the bugs means there's still 50% left to go - it wouldn't be MS any other way-- look at their track record.
P.U.

[joetesta70]

Troll. Go away.

[Dalkorian]

by joetesta70 September 16, 2008 2:22 PM PDT
Troll. Go away.
----------------------------------------------------------------------------

Yet in reply to another comment ...

----------------------------------------------------------------------------
by joetesta70 September 16, 2008 2:22 PM PDT
MobileMe? No one uses that POS!
----------------------------------------------------------------------------

Now *THAT* is irony! Thanks Joe, I needed a good laugh today.

[Jon N.]

Internet Security. What everyone wants, but (as far as Windows customers go) nobody gets. Vista 32 bit, has only an inbound firewall, and everyone who is internet savvy, gets anti-virus, & spyware software protection. What's wrong with this picture is that M$ needs to make their own software more hack-resistant, and not be so concerned with other corporations and others' software. OS X is an example, and Linux is another. If a person wants to pay 2-3x for their hardware, they go to Apple. The rest of the Windows world applauds Microsoft for their efforts for beefing up security, but IMHO, they need to get their own OpSys house in order first. Windows should have an incoming and outgoing firewall like Comodo, and a top notch anti-virus suite integrated into it, just like Windows Defender.

[AppleSuxLeo]

Maybe AAPL could use their services. OSX updates over the last several months , are gigantic compared to the updates needed for VISTA. Not surprising , as UNIX was developed in 1969.
OSX just had 126MB of security-related updates the other day !!! These were core system updates people. OSX is the new swiss-cheese of the computer industry. Listen to "security now" podcast regularly and you will learn the facts. Like how insecure Chrome is.
http://thisweekintech.com/sn161

[The_Decider]

If you are going to comment, please do so intelligently.

Vista has been raped more times than OSX and OSX is much, much older.

The 1969 comment just shows your stupidity and that you are going off MS talking points.

[rapier1]

It true that unix qua Unix was developed in 1969 but I don't see how that's a problem. What was created in 1969 was some of the underlying concepts and protocols. The code base for the various flavors of Unix have been rewritten multiple times over the year with some flavors actually taking a clean room approach (completely new code from the ground up that follows unix conventions). Its not like someone using linux or os x or *bsd is running on top of 30 year old code.

[Dalkorian]

Oh that was funny!

---------------------------------------------------------------------------
by AppleSuxLeo September 16, 2008 11:07 AM PDT
OSX is the new swiss-cheese of the computer industry. Listen to "security now" podcast regularly and you will learn the facts. Like how insecure Chrome is.
---------------------------------------------------------------------------

Swiss-cheese? You *must* mean winblows, since it's been hacked so repeatedly (yes, even precious little fista has been pwned). How many OSX viruses are there in the wild again? Forget that, how many viruses period for OSX?

The Chrome comment gave your troll status away because that had nothing to do with anything in either the article or your laughably inane comment. Back under the overpass with you troll!

[The_Decider]

Vista has no real security. Just a few roadblocks that have already been overcome. UAC can be completely sidestepped by a fairly simple .net program.

MS security is almost as big of a joke as they were when they introduced the user accounts in windows 95.

[gp2792]

I didn't see this comment coming...i am shocked you feel this way.

[kojacked]

The_Decider has spoken! Microsoft sucks! All hail The_Decider!

The only big joke around here is you and your comments. Thankfully you and your wisdom will be out of a job in a few months.

I'm sure Microsoft's new security program is just a blank piece of paper since they have little or no security as you purport.

[AdamMoore]

Funny all the people who probably no little to nothing about security, or have never taking a security class, are busy posting replies to this clearly trolled thread. Now, to wait for the 4,500 replies about getting a Mac, and how their Vista installation runs poorly on their 433MHz.

[Imalittleteapot]

"Six years later, the company's conversion seems to have worked with vulnerabilities dropping by about half from Windows XP to Windows Vista by 90 percent between SQL Server 2000 and SQL Server 2005."

That's doesn't mean they're more secure. They're still finding vulnerabilities in all those programs. The only way to know if they dropped by half would be to find them all and that's just not possible. There are still vulnerabilities in every single one of those programs and Microsoft is simply finding them at a slower pace which is even scarier if a hacker knew about some of them and just isn't saying anything.

For example, I've heard many times that Vista has less vulnerabilities than XP. Then a week later they find another hole. All that means is people had the flaw in their operating system for a week longer than they would have if MS had found the hole sooner. It doesn't mean it had less holes or was more secure.

The speed at which you get the patches out is a better number to determine how focused they are on security.Also, since we know there are probably still holes in those programs I would personally like to see them releasing more patches at a quicker rate than they currently are. A slowing down of MS issuing patches worries me a bit.

Also, by claiming that less patches means more secure you're just giving MS an incentive not to look for holes or even refuse to acknowledge them when someone else finds them because it would make their OS look insecure to people with the wrong mentality. Sorry, but I want the holes in my Vista fixed as quickly as possible.

[El Chupageek]

There is some serious ignorance in this thread. I know all of you desperately want to believe the apple commercials, but they just aren't true. The last six years has seen a complete turn around in the security of MS products. In 2002 their reputation was justly deserved, they made absolute crap, but in 2008 any security professional (for example, me) will tell you they lead the industry. In q2 of 2008 the most vulnerable aspect of the Windows ecosystem was applications written by Adobe (flash, Acrobat), Apple (quicktime), and Sun (java JVM) (reference: http://blog.cenzic.com/public/item/211522). If you look at the national vulnerability database SQL server 2005 has averaged less than a single vulnerability a year. Apple just released a mega security patch for OS X that patches 34 vulnerabilities, or put another way, more vulnerabilities than reported in Vista in the past year.

The SDL is the most comprehensive commercial secure development framework, something that puts security considerations in from day 1 rather than trying to find security vulnerabilities in testing after the product is mostly done. There is a reason why OWASP pimps Microsoft's Threat Modeling to all who will listen. There is also a reason why the MSDN is full of security best practices and advice to third party developers whereas the Apple documentation repository and Adobe Live Docs are anemic on such details. Microsoft actually gets it, and EVERYONE else would do well to follow.

"The speed at which you get the patches out is a better number to determine how focused they are on security."

That isn't true at all. First, a decrease in discoverable vulnerabilities is far more a testament- preventative controls are always better than corrective- but even more importantly is the need to fix it right. One simply has to look at recalled quicktime patches, or multiple patches that fix the same vulnerability (Firefox 2.0.11 and 2.0.12 for example) to know that fixing it wrong is as bad as not fixing it at all. Rapid patches tell me, as a security minded individual, that a company has done two things. First, they have done very little verification of the fix, and second, they have not invested time in discovering similar vulnerabilities (typically, if a mistake exists in one place, it often exists in many). The MS SDL specifically requires an analysis of ALL of a code base when a vulnerability is discovered, so that any similar vulnerability can be fixed at the same time. Patches are reverse engineered within 24 hours by blackhats to discover what was fixed. They thus know what the vulnerability was and can look for similar areas where the patch was not applied. Narrow fixes are reasonably ineffective, and the iPhone might not be jailbroken so quickly if Apple would follow a similar stategy as Microsoft.

So for the rational development minded individuals, the SDL is worth investigating. Security Professionals will happily testify that the MS holistic approach of security at every stage of development is the only way to dramatically improve security. That is why MS has the Secure Development LIFECYCLE, as security must be constant. Every company will need to modify such an approach for their own company, my corporation certainly needed to anyway, but the overarching ideas are universal.