Back in 2002, Microsoft executives realized they had a serious problem at hand. As the primary target of a growing global community of amateur hackers and professional cybercriminals, Microsoft knew it had to do something to improve the security of its code or it was likely to become a party pooper at the online fiesta. The Bill Gates Trustworthy Computing e-mail of January 2002 got lots of PR focus, but Microsoft's real security work horse was a new development process called the Security Development Lifecycle (SDL).
Since 2004, all new Internet-facing software developed by Microsoft has gone through SDL. Microsoft says that SDL has really helped to decrease the number of software vulnerabilities and lower the cost of fixing insecure code.
SDL always seemed like a hidden treasure that Microsoft should bring to the masses. Redmond finally externalized SDL last month with a series of tools, services, and programs. Great stuff until you realize what you are up against. Software developers are trained and paid to write business logic as quickly as they can. Few know anything about secure development. Even Microsoft needs help.
Redmond found these secure development skills in a number of partners, including a small Massachusetts company named Security Innovation. Never heard of 'em? You are not alone. In the esoteric overlapping worlds of security and software development, Security Innovation may stand alone. The company offers a portfolio of training, testing, and tools. Don't know anything about secure development processes? Security Innovation can teach you. Want to figure out how secure (or insecure) your code is? Security Innovation can tell you which way the security winds are blowing. Security Innovation can even certify code that passes its tests and meets certain metrics.
I am fairly convinced that large organizations will require specific secure software development processes and certifications as part of their Request for Purchase (RFPs) with technology vendors in the near future. Microsoft also anticipates this, which is one reason why the company continues to evangelize and offer its SDL to the market.
Ultimately, however, secure software development depends upon expertise and guidance, not just models and testing tools. Given this, companies like Security Innovation transform from geeky niche security players to critical service providers to a broad market. Microsoft, for one, is betting on this secure development metamorphosis.