Dr. Tom Shinder’s Blog RSS

All Blogs  »  Dr. Tom Shinder's Blog  »  Microsoft Security Space  »  Blog article: Microsoft Security Development Lifecycle (SDL)

Microsoft Security Development Lifecycle (SDL)

We all know that at one time in the past that Microsoft was considered the laughing stock of computer and software security. While it’s debatable that Microsoft was really much worse than any other software vendor, the fact is that Microsoft’s large installed base made it the focal point for hackers and malware. Exploits at the time were high viability events that got a lot of media coverage.

That’s seems like a hundred years ago to most of us in the Microsoft security community. While security is always a work in progress, Microsoft has gone from what many thought of as the least secure software company in the world, to what many consider the most secure software company in the world.

It didn’t happen overnight, and it wasn’t magic or the “power of money”. What enabled Microsoft to turn so quickly from unsecure to secure was Bill Gates’ mandate that attention to secure software development would be job one and then the implementation of the Microsoft Security Development Lifecycle or SDL.

The SDL provides processes and procedures that programmers and application developers can use to insure that software is built with security in mind. Security isn’t “bolted on” afterward. Instead, security considerations, threat modeling and fuzz testing is done throughout development so as to minimize the risk of “surprises”.

The SDL is part of all software development at Microsoft now and the results of it’s implementation are astounding. All you need to do is check the reductions in security issues with Windows Vista versus previous Windows client versions or Windows Server 2008 compared to previous Windows Server versions.

Microsoft has put together a new landing page for the SDL. You can find it at http://msdn.microsoft.com/en-us/security/cc448177.aspx and get more information about the SDL. Then, when you’re considering purchasing software from Microsoft or another vendor, ask the other vendor for information on their SDL and details on how they implement it, like the information on the Microsoft SDL page.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Monday, July 14th, 2008 at 12:09 pm and is filed under Microsoft Security Space. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 6 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center