Microsoft becomes high priest of secure software development
The company, which has undergone a security development rebirth over the past six years, offers free tools to help outside developers build more secure software.
Historically, Microsoft was bashed for security holes in its software that led to worm outbreaks on desktops and servers around the globe and other problems. In 2002, the company saw the light and launched its Trustworthy Computing initiative, elevating security to the top priority, and began designing and building products with security in mind.
Six years later, the company's conversion seems to have worked with vulnerabilities dropping by about half from Windows XP to Windows Vista by 90 percent between SQL Server 2000 and SQL Server 2005.
But the environment has changed--Web applications have eclipsed desktop applications as people move more and more of their computing online. Now, 60 percent of new vulnerabilities are in Web apps, and only 14 percent of them are from the top five independent software vendors, like Microsoft and its ilk, according to research from IBM's X-Force.
Microsoft has gone from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, the research shows. The lion's share of the vulnerabilities come from start-ups racing to get their products to market. And 70 percent of them are doing the security testing and review after they release the product, Microsoft said.
So now Microsoft is trying to convert others to the cause, offering free tools that outside developers can use to assess their software development security practices and analyze their software designs to look for security weaknesses and threats.
"By helping other companies build more secure software, especially companies that develop on the Microsoft platform, we make the Internet more trustworthy," said Steve Lipner, senior director of Trustworthy Computing at Microsoft. "That's good for our business."
Microsoft will offer free downloads in November of its Security Development Lifecycle (SDL) Optimization Model and its SDL Threat Modeling Tool 3.0, the company announced Tuesday. Also, Microsoft formed the SDL Pro Network composed of nine security consultants to help developers implement the SDL.
The SDL Optimization Model serves as a sort of blueprint for changing processes and strategy related to building secure software. The SDL Threat Modeling Tool, which Microsoft has used internally for about a year, is designed to help analyze the security of software designs and to figure out how to mitigate threats in the development process.
The companies in the SDL Pro Network, which include IOActive, Cigital, and Verizon Business, will serve as contractors and set their own fees. The one-year pilot program begins in November.
Microsoft isn't getting into the security consulting market--it's just trying to help companies improve their software so computer users are protected and feel confident online, Lipner said.
"We're not claiming we're perfect," he said. "But we have a lot of experience in this domain."
Chris Wysopal, chief technology officer of security firm Veracode, praised the announcements but wondered if Microsoft's success can be duplicated at companies with very small developer teams.
"The SDL is working for them, but the question is, will it work for the majority of the companies writing software?" he said.