BALTIMORE -- Have you tested your software for bugs? Scoured it for vulnerabilities of every shape and form and then eliminated them? If not, then your product is not ready to ship.
That's the stance of Steven B. Lipner, senior director of security engineering strategy at Microsoft Corp. It is the cornerstone of the company's Security Development Lifecycle (SDL), a process for creating secure software that Lipner described during his keynote address on the final day of the Software Security Summit.
Lipner spoke of the dramatic security overhaul that occurred at Microsoft when the company was developing Windows Server 2003. "We made a gutsy decision to stop development and focus on security," he said. Jim Allchin, group vice president for platforms at Microsoft, "took everybody off development and ran security training for about 8,900 people," Lipner said.
What followed was two full months of threat modeling, pen testing and code review. Production was not resumed until all of the bugs were found and eliminated. It was upon this procedure that the SDL was modeled.
A wake-up call
Back in the early 1990s, "security in Microsoft was the definition of oxymoron," Lipner said with a smile.
But in 2001, Microsoft was slammed with a number of highly publicized attacks, such as the Code Red and Nimda worms. It was "a clear wake-up call that we needed to do a lot more about security," recalled Lipner.
It was then that Bill Gates launched his famous Trustworthy Computing Initiative, and Microsoft made that "gutsy decision" to halt production.
Caleb Sima, co-founder, CTO and director of S.P.I. Dynamics and a speaker at the summit, characterized the move as far more than gutsy. It's "unbelievably amazing" that Microsoft was able to stop maintaining and developing software for months, he said.
"The SDL is an excellent idea, and it's something we've been needing forever," Sima said.
It may come as a surprise that in such a large corporation the SDL is implemented in every product group, Lipner said. And every six months, the SDL is updated to handle new threats.
"People invent new ways to break security, and we need to create new ways to make software secure," Lipner said. "Response is part of the game; it probably always will be."
Emulating the SDL
Throughout the conference, attendees expressed their enthusiasm for proactive security measures like the SDL but were frustrated by the difficulty of implementing such measures. "Nice dream," one audience member commented after Lipner's speech.
But it's not a dream. Whatever your opinion of Microsoft, the company actually made a major security overhaul. For those who'd like to emulate the SDL, Lipner laid out a few tips. He stressed the importance of getting management's support for the idea, creating a core security team, defining the SDL process, training your people and learning from your mistakes.
"We think it's paid off, and we plan on continuing," Lipner said.
Attendees often mentioned money as a block to implementing security. The cost for implementing this procedure on legacy applications might be as much as 15-20% of your development costs, Lipner said. It would be 10% or less if you do it as part of an initial release or if you have a process in place, he said.
Halting production for security is "expensive, but it pays off with more security for our customers," Lipner said.
Education and training is crucial to creating secure software, not only for employees but for computer science students as well, Lipner added. "One of my disappointments is that college students aren't taught security," he said.
To help remedy that, Microsoft has given five-digit grants to 10-20 computer science departments with the aim of improving integration of security into software education training.
"We have a commitment to try and make a change in the education system," Lipner said.