Talk about a turnaround. It's always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world's most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.
Haters will always continue hating, but the technical press is giving a lot of favorable coverage to Microsoft's successful efforts to make itself a computer software security leader. Here are some recent examples:
"Microsoft for a long time rightly got a bad reputation for insecure products. However, as an industry we should recognize the sea change in Microsoft's approach to security, of which this [Microsoft's plans to share its Security Development Lifecycle process components] is just one example, and encourage other vendors to follow Microsoft's lead." -- SANS NewsBites
"Microsoft becomes high priest of secure software development." -- CNET
"When I first started writing about information security five years ago, all a writer had to do was mention Microsoft in the same headline space as 'security vulnerability' to strike page-view gold. In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.... That's not so much the case today." -- Computerworld
"'This [Windows 7 new memory protection] is smart,' said Charlie Miller, who as principal analyst at Independent Security Evaluators has successfully exploited weaknesses in Windows, OS X, and Linux. 'I think they're [Microsoft] trying to stay ahead of the curve.'" -- The Register
"Johannes Ullrich, CTO of the SANS Institute, who teaches secure coding classes to developers... likened memcpy() to other risky functions such as strcpy() and strcat(), which Microsoft has already banned after exacting untold misery over the years. [He] also wondered aloud when 'Larry, Steve, and Linus' plan to issue similar security edicts in their products. It's a question worth asking." -- The Register
"As repugnant as it sounds, Apple will need to take a page from Microsoft's book in this area. Years of combating viral threats, malware, and so on (partially through their greater exposure and partially, it must be admitted, through bad programming) have resulted in a well-oiled machine which responds quickly and decisively to the threats." -- CrunchGear
What's in it for you
It isn't just press talk alone. Every common security and vulnerability metric shows Microsoft's software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling, going from dozens of exploits a year to barely a handful over five years.
Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.
Sure, Microsoft still has its share of critics, and it has a long way to go before it is done, but it's hard to argue that the company has not made significant progress. Although there are many factors to its success, including better patching, host-based firewalls, and increased responsible disclosure, the lion's share of the success belongs to its dedication to Security Development Lifecycle (SDL) processes.
Microsoft is being touted more and more frequently, even by people who otherwise would claim to hate Microsoft, as a programming security model to follow. All that positive energy is ending up in the press and is not lost on potential customers.
By now you might be wondering if there is a point to this column, besides delivering kudos to my employer. Well, yes. First, the success of SDL can no longer be ignored. SDL is responsible for Microsoft's transition from being the butt of security jokes to being touted as a security leader. That shift is huge, and it's worth billions of measurable dollars. Second, it took serious commitment from the CEO on down. Without long-term executive commitment, the chance for success is diminished.
Third, even with top-level commitment from all the senior executives, retraining of staff, and a dedicated corporate focus, it took about five years to turn the ship. It may have taken only a few weeks of education to turn all the programmers into secure programmers, but it took much longer to change the company culture. It took year after year of examining the weak links, providing new tools and solutions, and changing ingrained policies and processes. It took, and continues to take, heated debates on internal discussion lists, where everyone is encouraged to share their feelings about a particular decision.
But the best part is that most of the tools and thousands of pages of information that Microsoft used to turn itself around are freely available to anyone. They can be used by you and your company to create more secure software. You don't have to reinvent the wheel or discover the secrets of secure coding on your own. Microsoft is pretty far along in the maturity of their SDL model, and you can benefit from the policies, standards, and procedures it has developed. Instead of guarding this know-how as a secret competitive selling point, Microsoft is inviting everyone to participate. After all, a stronger, more secure computing ecosystem benefits everyone.
If your company could benefit from SDL, start with the Microsoft SDL Training and Resources page and Michael Howard's Web Log on MSDN. I challenge you to find anywhere near the amount of free resources on improving your software security from any other source.
Cute commercials at the expense of a competitor are one thing. Trying to improve security for everyone is another.