Microsoft's Steve Lipner, who was a major proponent of the need for a secure development methodology, talks about the successes of Microsoft's push--and the costs.
When Microsoft announced the Trustworthy Computing Initiative more than a decade ago, it seemed little more than a marketing push. Yet the company managed to create a sustained security program aimed at locking down its software. A key component of the initiative is the Secure Development Lifecycle (SDL), an iterative approach to programming that helps identify and resolve security weaknesses.
Steven Lipner, the partner director of program management for Microsoft's Trustworthy Computing, had once held the belief that the computer security could be solved in a provable way. After a decade of working on Microsoft security, Lipner is the first to admit his former naivete. Dark Reading caught up with Lipner before the coming RSA Conference and talked about the success of the SDL and its costs.
DR: In what ways has the SDL paid off for Microsoft and its code base? What sort of metrics does Microsoft look at to gauge success or failure? Lipner: In terms of measuring success, we look at a couple things. One of them is customer confidence--do people believe that we are in fact doing the right thing in developing software securely? And on that front, [a decade ago] Microsoft was not in the best position from a security perspective, whereas today we are in a much better position. So from that perspective, we view the initiative as successful.
Internally, we look at numbers, we look at metrics. We look at how many vulnerabilities, how many issues we have to fix. And that includes severity--how much impact do the vulnerabilities have on customers? We also look at the exploitability index. We have the exploitability index out for more than 18 months, and we are looking at that to say, OK, if there are vulnerabilities out there and they are discovered, how hard is it to exploit them and do harm to our customers?
How can companies find and fix vulnerabilities before they lead to a breach? Better yet, how can software developers identify flaws in their applications before the new software is ever deployed? In this report, Eliminating Vulnerabilities In Enterprise Software, Dark Reading offers a look at some tips and tricks for software development and vulnerability assessment. (Free registration required.)
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.
As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Published: 2014-10-21 Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.
Published: 2014-10-21 Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...
Published: 2014-10-21 SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...