Microsoft seeks secure software development

Microsoft wants to take what it has learned about secure software development in-house and share its insights with others.

The company on Tuesday will offer up guidance and a tool based on Security Development Lifecycle (SDL), a security assurance process unveiled in 2004 and serving as an evolution of the company's Trustworthy Computing initiative. Deliverables include Microsoft SDL Threat Modeling Tool 3.0, for structured analysis of security and privacy issues; Microsoft SDL Optimization Model, for assessing security, and Microsoft SDL Pro Network, offering security guidance and SDL best practices. All will be available in November.

"What we're doing [what is] called SDL for the development ecosystem," said Steve Lipner, Microsoft senior director of security engineering strategy, during a meeting at InfoWorld' San Francisco offices last week.

Analyst data, Lipner said, has shown that 10 percent of organizations test for security during the implementation phase of software, 20 percent test during the verification phase, and 70 percent wait until the software already is in use. "What that means is that basically, you're putting it out there hoping nobody will break into it," he said.

With its moves this week, Microsoft wants to externalize what it has learned and alleviate the problem of bad code development, said Jon Oltsik, senior analyst for Enterprise Strategy Group. "People point at Microsoft [when bad code is developed in a Microsoft environment], so they'd like to alleviate that," Oltsik said.

Microsoft SDL Threat Modeling Tool 3.0 is a design analysis tool offering early and structured analysis, as well as proactive mitigation and tracking of potential security and privacy issues, Microsoft said. The tool can be used for new or existing applications, which can be based on Windows or other development methodologies. But the tool itself runs on Windows.

"Threat modeling is a way of looking at the design of a piece of software and saying, what are the things I need to be worried about to make sure this software isn't subject to attack," Lipner said. Factors will be examined such as validation of input, authentication, and encryption of sensitive data.

Potential cross-site scripting problems, which have been an issue with AJAX applications, can be pondered with the tool. "It would help you identify the areas where you ought to be concerned with cross-site scripting," Lipner said.

While the free tool being offered in November is the third version of the technology, this is the first time it has been available to the public instead of just to Microsoft's internal developers.

"I love the threat modeling tool," said Mike Gualtieri, senior analyst at Forrester Research. "I wish I had it when I was a developer. In addition to helping developers do threat modeling, it also educates developers on security issues as they use the tool."

Microsoft's optimization model features free guidance available for Web download in November. "The optimization model is for helping organizations self-assess their maturity or their effectiveness at secure development," Lipner said.