A Decade of SDL
A decade ago last month, Bill Gates wrote the now-famous Trustworthy Computing email that challenged Microsoft (and the broader IT and dev community) to fundamentally improve the security, reliability and robustness of applications and code. At Microsoft, the first efforts to pursue Gates' challenge were applied in the development of Windows Server 2003, and provided an early template for what would become the Security Development Lifecycle (SDL) at Microsoft.
"10 years ago... we were doing the training that led into the Windows Server 2003 security push," said Steve Lipner, Partner Director for Program Management of Trustworthy Computing at Microsoft. "A little less than eight years ago we briefed the senior leadership team and got the authorization for the SDL going forward."
The results, says Lipner, are hard to argue with. "We launched the SDL in July of 2004. 8 years later we've made a significant difference in the security of Microsoft software."
That difference has since extended across the Microsoft software portfolio. Lipner points to fuzz testing conducted by security researcher Dan Kaminsky that showed significant reduction in discovered vulnerabilities over time. In Kaminsky's tests, Office 2003 produced 126 exploitable vulnerabilities, Lipner says. By contrast, Office 2010 produced just 7 potential vulnerabilities. "That was a 94 percent decrease across three Office releases," says Lipner.
There were challenges.
"When we started in 2004, what we were doing was initially targeting the Microsoft environment. So there were some common things that all Microsoft did, but there was a lot of variation from business group to business group, and product team to product team. We didn't want to impose any more than we had to to enable the product groups to make their software more secure," Lipner explains. "We didn't want to come in and impose needless mandates and needless uniformity. We just wanted to do the things we knew would work."
Since 2007, when Microsoft made its first public SDL release, the company has been working to carry the SDL process to the broader software development community. The aim, Lipner says, is to enable cost-effective security adoption, and the numbers seem to argue his point. An August 2010 Aberdeen Group study estimated that the average cost of remediating a single, security-related incident is about $300,000.
For companies looking to jump on the SDL train, Lipner urges developers to start simple and first grasp issues related to your specific development style and tooling. He also advices organizations to concentrate on pain points, rather than to address the broad development spectrum from the start.
"If an organization has a history of security incidents or security vulnerabilities, look at the tooling and processes in the SDL, and try to figure out which of those are highest impact on the problems you've seen," Lipner says. "That allows you to start with some quick wins and impact, and roll out the process in more of a phased manner."
Is your organization implementing a more robust security development lifecycle? We'd love to hear your takes on the effort and how it's affected both your software development process and your resulting applications. Email me at mmeditor@microsoft.com.