Microsoft’s commitment to the Core Infrastructure Initiative

For more than a decade, we’ve made significant investments in securing our devices and services. What people may not know is that we’ve also been involved in cross-platform activities for some time.  See more >>

Read more Microsoft’s commitment to the Core Infrastructure Initiative

The time is now. Security Development Must be a Priority for Everyone


Today marks the first day of the
Security Development Conference 2013.  Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle (SDL).  So much has changed in that time.  

In the past decade, Internet usage has gone from roughly 350 million people online to more than 2.4 billion. Today there are more opportunities than ever before for developers.  Windows 8 is still relatively new, the cloud is in its early stages of adoption and there has been an explosion in new mobile devices and platforms. While the Internet has created many new opportunities and ways to do business, it has also spawned a digital underground for online crime. Security breaches that have financial consequences or lead to intellectual property loss, website defacement or espionage have become a reality in today’s computing landscape.

Many of the developers I talk with generally recognize the importance of security development. Despite this, the evidence suggests that the vast majority of organizations still have not adopted security development as a fundamental professional discipline. Microsoft recently surveyed over 2200 IT professionals and 490 developers worldwide.  The survey found that only 37 percent of IT Professionals cited their organizations as building their products and services with security in mind.  Furthermore, 61 percent of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. These mitigations have been freely available to the industry for years and are often simple additions to existing development practices–and yet only a minority of developers are leveraging them.  This is concerning to me and it should be concerning to everyone who uses the Internet.

Read more The time is now. Security Development Must be a Priority for Everyone

Microsoft SDL Conforms to ISO/IEC 27034-1:2011

Read more Microsoft SDL Conforms to ISO/IEC 27034-1:2011

Registration Now Live! Security Development Conference 2013

Registration is now live for the Security Development Conference 2013, hosted in San Francisco, CA on May 14 – 15, 2013.  If you register today you’ll save 50% off the normal registration fee.

This year’s conference will include keynote speakers Edna M. Conway, Chief Security Strategist, Cisco Systems Inc.; Brad Arkin, senior director, Security, Adobe products and services; and Scott Charney, corporate vice president, Trustworthy Computing, Microsoft Corp.    Event tracks will include: Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security. Track sessions will cover the latest in proven security development techniques that help reduce risk and protect organizations in the ever-changing technology landscape.

The Security Development Conference brings together IT security professionals to network, learn and discuss secure development best practices. Attendees from around the world will hear from leading security experts, build their professional networks, and learn how to implement or accelerate adoption of secure development practices within their own organizations. 

For more information, I encourage you to check out the website at www.securitydevelopmentconference.com.

Steve Lipner
Partner Director of Program Management
Microsoft Trustworthy Computing

 

Read more Registration Now Live! Security Development Conference 2013

Software Assurance: How can you tell?

Read more Software Assurance: How can you tell?

The Microsoft Security Development Lifecycle Extends Beyond Applications to Critical Infrastructure

This morning, I am sitting at the inaugural Security Development Conference 2012 in Washington DC listening to people from a diverse set of companies, government agencies and academic institutions sharing their own experiences with adopting a Security Development Lifecycle (SDL) process or learning how to accelerate adoption within their own organizations. As I watched the keynotes and sessions yesterday and see Scott Charney step onto the stage today, I am reminded of the early days at Microsoft when our customers were faced with security threats that challenged their trust in our products and services.  Creating the SDL was an important step in combating these threats and to this day the SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft’s products. 

Read more The Microsoft Security Development Lifecycle Extends Beyond Applications to Critical Infrastructure

Evolving Secure Code at Microsoft and Beyond

Read more Evolving Secure Code at Microsoft and Beyond

Trustworthy Computing’s 10 Year Milestone – Reflecting on Humble Beginnings

Read more Trustworthy Computing’s 10 Year Milestone – Reflecting on Humble Beginnings

Welcoming Siemens to SAFECode

Read more Welcoming Siemens to SAFECode

Meet us at Black Hat to brainstorm the future of security

Read more Meet us at Black Hat to brainstorm the future of security