There’s a lot more at stake in Microsoft’s new Vista operating system than many people realize. Sure, it’s a new operating system and it needs to fight its own fight for market share, but I think we’re probably all pretty realistic about the inevitable outcome in that fight. What’s at stake is a new way of thinking about security at Microsoft.
Many of us no doubt remember Chairman Bill’s now infamous 2002 memo to all Microsoft employees in which he put product security as the top priority for the company. Indeed, he went so far as to tell them that security concerns would trump new features in software products. That’s a significant and bold statement for any software development company and it is to be applauded. Great stuff, Bill!
But here it is 2007 and what has really changed? We saw some significant security advances in the XP family, most notably in service pack 2 (“SP2”). Numerous SP2 security enhancements were at last “opt-out” and not “opt-in,” meaning that, for the first time, security features such as the Windows firewall were enabled by default. Again, this is great stuff and should be loudly applauded. I should note that the Windows firewall was available prior to SP2, but many/most users were blissfully unaware of it because it wasn’t enabled by default. (Boo hiss! Bad Microsoft!)
But XP was released in late 2001, early 2002, so it couldn’t have possibly benefited in any meaningful way from Mr. Gates’s new security policy statement. An operating system takes years to develop, and no doubt the vast majority of the development that went into XP took place long before the developers had even the faintest hint of his intentions.
And then along comes Vista, some five or so years later. By all accounts, the code under Vista’s hood was largely a thorough re-write of prior XP and Win-2000 code. And what’s more, it’s the first full operating system that Microsoft developed from the ground up using its new Security Development Lifecycle (SDL).
Several papers and even books have been published detailing the different aspects of the SDL process. In mid-2006, Michael Howard and Steven Lipner published an excellent book on the SDL – it should be read by anyone who develops software.
But, outside of a relatively small (but growing) cadre of software security practitioners, not a lot of folks even know the SDL exists. And yet, in a very real way, the SDL is at least as much on the line here as Vista itself.
And with the first Vista-affecting zero-day attack surfacing just last week, I really hope this isn’t a harbinger of things to come. At least judging by the early accounts of this new security defect, it seems as though there’s every reason to expect it should have been caught through the extensive fuzz testing that’s an integral part of the SDL’s security testing regimen. There are even early indicators that this flaw—or at least a substantially similar one—was reported to Microsoft in XP a couple years back.
Why is this security defect such a big deal, you may be asking. We see defects reported in XP on a nearly daily or at least weekly basis, after all. I’ll tell you. My fear is that the SDL itself could be sacrificed if it’s believed to have failed, which would be a tremendous setback for all (secure) software development.
You see, it’s not that the SDL is necessarily the best way of developing secure software. How many other software developers have to deal with the sorts of issues as Microsoft does? Seriously, how many people can claim that their general-purpose software will be used by hundreds of millions of people for everything from emailing the latest jokes to running mission-critical software at the largest enterprises? Not so simple to make security decisions that appease such a vast spectrum of users, is it?
Without a doubt many software development organizations – even large ones – will find Microsoft’s SDL as not quite meeting their needs. Heck, it’s not even the only game in town. There are several other lighter-weight security development processes readily available. The Open Web Application Security Project (OWASP) has its CLASP process, for example. Cigital has its “touchpoint” model. (Both of these can be freely downloaded, via here and here, respectively.) The list goes on.
But none of that is important. The fact is that the SDL is what Microsoft uses, and its future, along with the future of software security trends at Microsoft, is very much on the hook right now. Because of the sheer vastness of their market share, we all stand to lose out of the SDL fails. It is said that a rising tide raises all the ships in a harbor; well, then it stands to reason that a retreating tide lowers all the ships in a harbor just as equally.
For that reason, count me in as a supporter of the SDL. Long live the SDL.
Article courtesy of eSecurity Planet