Article

Microsoft takes Vista security to a new level using SDL

Michelle Davidson

SEATTLE -- After five years, Windows Vista is on the home stretch to being released. And thanks to Microsoft's Security Development Lifecycle (SDL), it's expected to be the most secure product the company has ever released.

Michael Howard, senior security program manager at Microsoft, told attendees at last week's OWASP AppSec Seattle conference how the company's use of the SDL helped find and handle security bugs throughout Vista's development so that most of the security issues will have been eliminated by the time the operating system is release.

"The point of the SDL is to squeeze bugs out throughout the process," Howard said.

That process, he said, begins with prescriptive guidance to the developers followed by mandatory education for them. In fact, Microsoft requires yearly ongoing education training for engineers. It helps raise awareness and set expectations for them, Howard said.

"You get the biggest bang for your buck from education," he said. "Education reduces your chance of having security bugs. That's because if you don't know what you're looking for, you're not going to find it."

Next in the SDL are the "quality gates," Howard said. This is where you can "stop the bleeding," he said. Using tools, developers check for such things as banned APIs, banned crypto, buffer overruns, weak ACLs and integer arithmetic issues.

    Requires Free Membership to View

The point of the Security Development Lifecycle (SDL) is to squeeze bugs out throughout the process. 
Michael Howard
Senior security program managerMicrosoft

Howard pointed out the importance of the Standard Annotation Language (SAL), which is used by static analysis tools. It adds annotations to your code, which helps tools uncover harder-to-find bugs.

Following those checks, comes central analysis. During this phase, inter-procedural analysis, binary analysis and attack surface analysis is conducted. This is also the time when banned APIs and crypto are removed.

Fuzzing tools also come into play during central analysis.

"A huge quantity of bugs found in the wild are due to malformed data," Howard said. "Fuzz testing can find these."

Howard stressed, however, that tools alone do not make software secure. "They help scale the process and they help enforce policy," he said.

The process doesn't end with central analysis. Threat analysis comes next. During this phase threat modeling comes into play. Use these models to help find design issues, Howard said. If you find them upfront rather than at the end of the development process, you can avoid having to go back and rework the code, which can be a laborious process.

"All components of Vista were threat-modeled," Howard said. That meant 1,400 threat models.

"We've learned a great deal about making threat models easier to create by non-security experts," he said. Ways that they've done that is they've moved from threat trees to patterns of threats and they use risk heuristics instead of risk calculations.

If you give developers numbers, they can fudge them, Howard said. Instead developers are given four levels to determine the risk, ranging from critical to low. "Anything rated critical to important, you fix. There's no argument," he said.

The last phase of the SDL is external review. At Microsoft, most of the security work is done by Windows engineers, but the company does hire outside companies to look at the code. The bugs found here should be those that are really hard to find. Once again, Howard stressed, the people involved have to know what to look for. If they don't, "you'll have a warm fuzzy feeling thinking you're secure when actually you have bugs," he said.

Despite the SDL, however, one has to assume code and design will never be perfect, Howard said. And yet customers must still be protected. How did the developers do that with Vista? Defenses were built in to protect the operating system from being corrupt, he said.

More information in including security in the SDLC
Keep the bad guys out: Build security into the SDLC

Security in the software development life cycle

Steps you can take now to begin building in software security

"If all upfront engineering fails, we've incorporated four types of defenses in," Howard said. Those defenses include service hardening; isolation, in which users are no longer admins by default and integrity levels help contain damage; and memory defenses.

"What's critical about Vista is all the defenses are there by default," Howard said. "And these have almost no impact on performance."

Despite all that work, Howard concedes that there could still be security issues with Vista.

"There will be security bugs in Vista, but over time we'll see," he said. "I think a lot of our competitors are in denial of their security problems whereas we're doing something about them. Are we perfect? No. Are we making progress? You bet."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: