Microsoft seeks secure software development

Company will introduce SDL Threat Modeling Tool 3.0, an evolution of the Trustworthy Computing initiative

Microsoft wants to take what it has learned about secure software development in-house and share its insights with others.

The company on Tuesday will offer up guidance and a tool based on Security Development Lifecycle (SDL), a security assurance process unveiled in 2004 and serving as an evolution of the company's Trustworthy Computing initiative. Deliverables include Microsoft SDL Threat Modeling Tool 3.0, for structured analysis of security and privacy issues; Microsoft SDL Optimization Model, for assessing security, and Microsoft SDL Pro Network, offering security guidance and SDL best practices. All will be available in November.

"What we're doing [what is] called SDL for the development ecosystem," said Steve Lipner, Microsoft senior director of security engineering strategy, during a meeting at InfoWorld' San Francisco offices last week.

Analyst data, Lipner said, has shown that 10 percent of organizations test for security during the implementation phase of software, 20 percent test during the verification phase, and 70 percent wait until the software already is in use. "What that means is that basically, you're putting it out there hoping nobody will break into it," he said.

With its moves this week, Microsoft wants to externalize what it has learned and alleviate the problem of bad code development, said Jon Oltsik, senior analyst for Enterprise Strategy Group. "People point at Microsoft [when bad code is developed in a Microsoft environment], so they'd like to alleviate that," Oltsik said.

Microsoft SDL Threat Modeling Tool 3.0 is a design analysis tool offering early and structured analysis, as well as proactive mitigation and tracking of potential security and privacy issues, Microsoft said. The tool can be used for new or existing applications, which can be based on Windows or other development methodologies. But the tool itself runs on Windows.

"Threat modeling is a way of looking at the design of a piece of software and saying, what are the things I need to be worried about to make sure this software isn't subject to attack," Lipner said. Factors will be examined such as validation of input, authentication, and encryption of sensitive data.

Potential cross-site scripting problems, which have been an issue with AJAX applications, can be pondered with the tool. "It would help you identify the areas where you ought to be concerned with cross-site scripting," Lipner said.

While the free tool being offered in November is the third version of the technology, this is the first time it has been available to the public instead of just to Microsoft's internal developers.

"I love the threat modeling tool," said Mike Gualtieri, senior analyst at Forrester Research. "I wish I had it when I was a developer. In addition to helping developers do threat modeling, it also educates developers on security issues as they use the tool."

Microsoft's optimization model features free guidance available for Web download in November. "The optimization model is for helping organizations self-assess their maturity or their effectiveness at secure development," Lipner said.

Featured is an assessment for organizations to look at their security practices and see how they compare to SDL. Users can characterize security practices at four different levels of security: basic, in which the customer risk is undefined; standardized, which offers proactive security; advanced, in which security is integrated; and dynamic, offering specialized security and minimized customer risk.

SDL Pro Network features a network of service providers and consulting and training for implementing SDL. Users can go to companies such as Leviathan Security for assistance with SDL.

"The network of trained partners who will help educate the field on the SDL Optimization Model and the SDL threat modeling tool will help promulgate the technology and usage of security principles, making e-commerce safer for all of us," said analyst Roger Kay, president of Endpoint Technologies Associates.

Microsoft believes that offering security technologies for free with SDL can result in more secure software, which in turn makes Windows more secure. Microsoft began its focus on security after Internet worm attacks in 2001, Lipner said. While Microsoft has seen its share of vulnerabilities drop because of SDL, intruders have instead been attacking others' software, said Lipner.