Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:10 PM

Making Windows Secure From The Ground Up

Microsoft's Steve Lipner, who was a major proponent of the need for a secure development methodology, talks about the successes of Microsoft's push -- and the costs

When Microsoft announced the Trustworthy Computing Initiative more than a decade ago, it seemed little more than a marketing push. Yet the company managed to create a sustained security program aimed at locking down its software. A key component of the initiative is the Secure Development Lifecycle (SDL), an iterative approach to programming that helps identify and resolve security weaknesses. For more than a decade, the SDL has generated impressive results for Microsoft -- leading, for example, to the decline of critical vulnerabilities in 2011 to their lowest level in five years.

Steven Lipner, the partner director of program management for Microsoft's Trustworthy Computing, had once held the belief that the computer security could be solved in a provable way. After a decade of working on Microsoft security, Lipner is the first to admit his former naivet. Dark Reading caught up with Lipner before the coming RSA Conference and talked about the success of the SDL and its costs.

DR: In what ways has the SDL paid off for Microsoft and its code base? What sort of metrics does Microsoft look at to gauge success or failure?
Lipner: In terms of measuring success, we look at a couple things. One of them is customer confidence -- do people believe that we are in fact doing the right thing in developing software securely? And on that front, [a decade ago] Microsoft was not in the best position from a security perspective, whereas today we are in a much better position. So from that perspective, we view the initiative as successful.

Internally, we look at numbers, we look at metrics. We look at how many vulnerabilities, how many issues we have to fix. And that includes severity -- how much impact do the vulnerabilities have on customers? We also look at the exploitability index. We have the exploitability index out for more than 18 months, and we are looking at that to say, OK, if there are vulnerabilities out there and they are discovered, how hard is it to exploit them and do harm to our customers?

DR: Adobe's Brad Arkin has frequently said that driving up the cost for attackers to exploit Adobe software is a primary measure for the company. Is that important for Microsoft as well?
Lipner: It is not an exclusive focus, but it is something that we look at. For example, we have also looked at the exploitability index recently and have seen that Windows 7, the exploitability rights, are a lot lower than for older versions of Windows.

If we can drive the severity down, if we can drive the exploitability down, or if we can drive the number of vulnerabilities down, those are all things that we think are measures of success. We are not moving away from trying to drive the numbers of vulnerabilities down, but those other things are also measures of success in our mind.

DR: What has been the cost of implementing the SDL? Can this be seen as a ROI, or is it a pure cost of doing business?
Lipner: Back in the early days of TwC, because of the Windows security push, we shut down the Windows division and said, "We are not going to do anything but security." So it was possible for us to measure and know what that measure cost.

I worked with defense contractors, in my early days in the industry, and they measure what you are doing every 15 minutes or half hour, so it is possible to know costs precisely in that environment. In the commercial vendor environment, we know someone is working on Windows networking ... but we don't measure hours that precisely, so getting fine-grained cost numbers is not easy.

That said, the thing we know about the SDL is that it is affordable. We had it for almost eight years, and we are still doing it. So that says that it is something that is consistent with doing commercial software and the cost burden isn't unaffordable.

In terms of return, we talked about the metric driving the number of vulnerabilities down -- that is clearly a payoff. There have been studies that show that fixing a bug in development is much cheaper than fixing after the product ships. But there is a big return on investment in terms of customer confidence. (See one example with the banking industry.)

DR: Where does SDL go from here?
Lipner: We do an update every year ... generally on October 1. Internally, we are working on what we will call SDL version 6. That will be more secure better tools, easier for product groups to apply, taking advantages of the lessons learned, and doing what we can to make the software more secure.

Back when I started in this business, I thought we were going to build a secure system, prove it was secure mathematically, and we'd be done. But security doesn't work that way, so we continue to have to refine the process and make it more effective and easier to use. And we take what we have learned and make it available to customers and partners.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/22/2012 | 7:36:42 AM
re: Making Windows Secure From The Ground Up
-Good article. Thanks to know about the windows in securing . its really must to protect the windows safely
User Rank: Apprentice
2/20/2012 | 6:45:41 AM
re: Making Windows Secure From The Ground Up
-A key component of the initiative is the Secure Development Lifecycle (SDL), an iterative approach to programming that helps identify and resolve security weaknesses
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.