Security Centre

Microsoft and security: Changes in product development pay off

By Rich Freeman

Latest Business News
EU economy team named
CBI concerned by new financial services guidelines
Retailers confident in run up to Christmas

View the full archive

Subscribe to the latest market news feedSubscribe to feed
Get your free MSAT toolkit today.
 
Contact Us
Call us to discuss your business requirements
Speak to an IT Expert
Find a Microsoft partner who can answer your business needs:
Enter Postcode:
Search by Category
 

Related Links

Trustworthy Computing home page

The Microsoft Security Response Center: overview

Security in Windows Vista: Setting a new standard

Check out Microsoft Systems Management Server 2003

Case study: Garanti Technology

Security resources for midsize businesses

Since Bill Gates made security Priority No. 1 in 2002, Microsoft has transformed the way it develops software, provides security guidance, and distributes updates. The result is more secure products now, and safer customers.

In Summary:

In January 2002, Microsoft Chairman Bill Gates declared "Trustworthy Computing" the company's highest priority.

Since then, a rigorous software-writing methodology called the Security Development Lifecycle has significantly reduced vulnerabilities in Microsoft products.

Among the improvements are faster security guidance and simpler updates for partners and customers.


*"When people ask me how many security people there are in the Windows Vista group, I say 6,000."*
Michael Howard
Senior security program manager
Microsoft

You don't have to be an IT expert to understand the importance of security. All you have to do is read the news. Every day, it seems, brings word of a costly new virus, scam, or intrusion.

"It is an arms race," observes Michael Howard, a senior security program manager at Microsoft. The harder you work to ward off malicious hackers, the harder they look for new and creative modes of attack. The only answer is to build vigilance into your every action, Howard says.

To that end, Microsoft has changed the way it creates and supports software. The return on that effort has been a new generation of more secure products and a multitude of initiatives that are helping customers respond to threats more quickly and effectively.

Building security into the software development process

The foundation of Microsoft's new approach is the Security Development Lifecycle (SDL). Adopted in 2002, following several highly-publicized virus outbreaks against Microsoft customers, the SDL is a rigorous methodology for developing more secure software.

To date, some 20,000 Microsoft developers, testers, and program managers have received SDL training. SDL techniques are mandatory for the vast majority of Microsoft products, including all products that connect with the Internet.

Underlying the SDL is a set of four fundamental principles:

1.

Secure by design: Software should be architected, designed, and implemented to protect itself from malicious attacks.

2.

Secure by default: A product's default state should promote maximum security by disabling features that are not widely needed and providing users only the minimally-necessary access rights.

3.

Secure in deployment: Tools and guidance should be available to help organizations use software safely, and updates should be easy to deploy.

4.

Communications: When product vulnerabilities appear, Microsoft should help customers take prompt action by sharing information openly and responsibly.

Wide-ranging in scope, the SDL touches every stage of the software authoring process.

For example, during the design phase, programmers and security experts use "threat modeling" techniques to identify and remove architectural vulnerabilities. During the programming phase, automated tools methodically seek out and report weaknesses. To keep hackers from exploiting any remaining weak points, developers minimize a program's "attack surface" by limiting the features and capabilities available to unauthenticated users. "If you cannot get to the vulnerable code, you cannot exploit it," Howard says.

Meanwhile, mandatory checkpoints throughout the development process force coders and testers to confirm that their work meets strict SDL standards. Product teams must address any issues uncovered during these assessments before programming can proceed. When an application is finished, a team of security experts conducts a last, meticulous review. Microsoft will not ship a new product until it passes this final exam.

Attention to security delivers significant results

For product teams at Microsoft, the SDL represents a radically new approach to writing software. "It has been a huge change, as there are a lot of things you have to think about now in greater detail," Howard says. Thanks to the SDL, security is no longer a job solely for experts such as himself, Howard observes. It is everyone's job. "When people ask me how many security people there are in the Windows Vista group, I say 6,000," Howard says with a smile.

So far, SDL has paid off for Microsoft in measurable ways. For example:

Customers using Windows XP SP2 are 13 to 15 times less likely to be infected by "malware" than are users of previous versions of Windows XP, according to internal Microsoft data.

There have been 50 percent fewer security vulnerabilities found in Windows Server 2003 than in its predecessor, Windows 2000 Server.

There have been just two security vulnerabilities found in the latest version of Microsoft's Web server product, Internet Information Services 6.0, since its release in 2003.

There have been no security bugs found in SQL Server 2005 since its introduction in November 2005. "To go for a year with nothing is pretty incredible," Howard notes.

Windows Vista, however, is the product that most fully bears the SDL's imprint. While users still need to protect and update their PCs regularly with antivirus software, Microsoft's new-generation operating system offers layered security features that safeguard users better than any previous edition. "There is nothing in the product that has not been touched by security," Howard says. For example, once common but vulnerable coding techniques have been banned from Windows Vista, and new group policy controls enable administrators to bar employees from connecting potentially insecure devices, such as USB memory sticks, to their PCs.

Progress on issuing guidance and updates

The SDL has helped Microsoft reduce vulnerabilities, but no software vendor can ever eliminate them completely. So Microsoft has taken steps to identify security threats more rapidly and help customers respond to them more easily. For example, the Microsoft Security Response Center now makes guidance on newly-discovered vulnerabilities available online and through phone support in less than two hours, on average, instead of the 24 hours required previously. Microsoft also now makes remedies for new infections available online (via the Malicious Software Removal Tool) within days — compared to the month required previously.

In addition, Microsoft has become more efficient at distributing updates. "We heard a lot of feedback from customers that they wanted us to provide updates on a predictable schedule," says Scott Stanzel, a senior product manager in Microsoft's Security Technology Unit. As a result, Microsoft has switched from ad hoc distribution of security patches to a regular monthly schedule.

Microsoft also provides technologies that simplify patch deployment, including Microsoft Update (which automatically sends new patches to customers) and Windows Server Update Services (which eases installation of server-related updates across a data center). "It has taken a lot of the pain out of [the updating] process," Stanzel says. In addition, Microsoft Systems Management Server 2003 offers valuable policy-based update capabilities for larger midsize organizations.

Indeed, such tools and Microsoft's revised update calendar have helped Garanti Technology, an IT services company based in Istanbul, Turkey, reduce the time it spends updating its systems by 65 percent. "Today, we spend a total of 15 to 20 hours to apply a month's worth of security updates to our 13,000 systems. It used to take at least twice as long to write scripts and far longer to apply the updates," says Kenan Agyel, Garanti’s manager of Microsoft systems.

In the end, making security easier is the impetus behind Microsoft's entire safety-first approach to software development and distribution. "We want to provide the products, the services, and the guidance to customers that will protect their systems and give them trust in their computing experiences," Stanzel says. Initiatives such as the SDL are helping Microsoft realize that goal.

Rich Freeman is a Seattle-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry.