Risk

2/17/2012
10:19 AM
50%
50%

How Microsoft Made Windows Secure From Ground Up

Microsoft's Steve Lipner, who was a major proponent of the need for a secure development methodology, talks about the successes of Microsoft's push--and the costs.

When Microsoft announced the Trustworthy Computing Initiative more than a decade ago, it seemed little more than a marketing push. Yet the company managed to create a sustained security program aimed at locking down its software. A key component of the initiative is the Secure Development Lifecycle (SDL), an iterative approach to programming that helps identify and resolve security weaknesses.

For more than a decade, the SDL has generated impressive results for Microsoft--leading, for example, to the decline of critical vulnerabilities in 2011 to their lowest level in five years.

Steven Lipner, the partner director of program management for Microsoft's Trustworthy Computing, had once held the belief that the computer security could be solved in a provable way. After a decade of working on Microsoft security, Lipner is the first to admit his former naivete. Dark Reading caught up with Lipner before the coming RSA Conference and talked about the success of the SDL and its costs.

DR: In what ways has the SDL paid off for Microsoft and its code base? What sort of metrics does Microsoft look at to gauge success or failure?
Lipner: In terms of measuring success, we look at a couple things. One of them is customer confidence--do people believe that we are in fact doing the right thing in developing software securely? And on that front, [a decade ago] Microsoft was not in the best position from a security perspective, whereas today we are in a much better position. So from that perspective, we view the initiative as successful.

Internally, we look at numbers, we look at metrics. We look at how many vulnerabilities, how many issues we have to fix. And that includes severity--how much impact do the vulnerabilities have on customers? We also look at the exploitability index. We have the exploitability index out for more than 18 months, and we are looking at that to say, OK, if there are vulnerabilities out there and they are discovered, how hard is it to exploit them and do harm to our customers?

Read the rest of this article on Dark Reading.

How can companies find and fix vulnerabilities before they lead to a breach? Better yet, how can software developers identify flaws in their applications before the new software is ever deployed? In this report, Eliminating Vulnerabilities In Enterprise Software, Dark Reading offers a look at some tips and tricks for software development and vulnerability assessment. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.
CVE-2018-11472
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
CVE-2018-11473
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
CVE-2018-11474
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.
CVE-2018-11475
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser.