Skip Links

The importance of sharing security know-how

Deep dive into Microsoft’s gospel of the Secure Development Lifecycle.

By Avantikumar, MIS Asia
June 24, 2010 02:22 PM ET

MIS Asia - In an ongoing effort to promote a more secure computing environment, software giant Microsoft has increased its efforts to share its in-house SDL [secure development lifecycle] practice throughout the industry. Adoption of this secure architecture would help reduce the number of vulnerabilities as well as promote continuous improvements, it said.

"SDL is secure by default and has a long history within the company," said Microsoft senior director, Trustworthy Computing Security [TwC], security engineering strategy, Steve Lipner, who has a 40-year career in information security.

"The push to greater security has achieved rapid improvements but security must be integrated into the software development lifecycle," said Lipner. "SDL comprises all the phases of creating, developing, and maintaining software and solutions: training, requirements, design, implementation, verification, release, and response."

He said Microsoft founder Bill Gates launched the Trustworthy Computing [TwC] initiative in 2002. "By April 2003, TwC received a push and became a security 'science'. Its mission was to identify and remove new classes of vulnerabilities as well as provide a security 'audit', in effect an independent review."

"Currently, Microsoft continues to expend considerable effort in sharing security knowledge through various programmes as well as online information sites such as MSRC [Microsoft Security Response Centre] bulletins, responsible for delivering the security updates every month," he said.

The Switzerland approach

"An example of more strategic industry relationships is SDL Outreach--or the Switzerland approach--which began in the 2004-2006 period," Lipner said. "This is when Microsoft began to share SDL information aggressively. This also included focus on popular third party downloads and expansion beyond the browser ecosystem."

"Applying SDL helps to secure our mutual customers, as well as to exchange best practices, and better equip the development community," he said. "The outreach programme is conducted under mutual NDAs [non-disclosure agreements] and is resourced with a team that comprises a developer/tester expert and relationship/engagement manager," he said. "Security is a neutral territory, hence, the term--the Switzerland approach."

One of the SDL partner firms, EMC-owned Archer Technologies, eGRC solution manager, Steve Schlarman, said its compliance solution followed the SDL framework.

"The Archer solution is about enabling and managing all three aspects of GRC-- governance, risk, compliance," said Schlarman. "Enterprise GRC has multiple aspects around the managing of risk across different domains such as finance, IT, operations and legal."

"Microsoft's SDL is translated into an authoritative source for benchmarking along with other Archer-provided Authoritative Sources," he said.

End-users helped to make Office 2010 stronger

Microsoft senior security programme manager, Brad Albrecht, said: "The SDL concept within the TwC approach helped to proactively prepare the Office 2010 product through driving security and privacy across Office client and server."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News