A programme placing strict controls on developers to ensure they build secure code is showing early signs of success, according to a senior executive from the software giant.
The programme — known as the Security Development Lifecycle (SDL) — is one of the results of a 2002 company-wide memorandum from Microsoft chairman Bill Gates outlining an increased focus on security, and followed on from a series of serious security vulnerabilities that caused publicity woes.
"It's showing early signs of results for us," Microsoft product manager Rick Samona, who holds responsibility for the .NET framework and the company's developer tools, told an audience at the Tech.Ed conference on Australia's Gold Coast. He went on to outline how the SDL — a set of processes for secure software development — had improved Microsoft's security record.
Samona said all of Microsoft's server and commercial products — even the XBox 360 — had to go through the SDL — and the difference in security when compared with the company's previous software was remarkable.
"Server 2003 went through the SDL, and 2000 did not," he said. "The number of critical reports and security vulnerabilities has been reduced dramatically [when the two were compared]."
"Probably the poster child for the SDL is Internet Information Services 6. IIS6 has had one security vulnerability since it was shipped, and it was for a feature that wasn't even on by default."
He added since the third update to Microsoft's SQL database server was released, the software has had zero vulnerabilities in 24 months.
But getting such results has not been easy for the world's biggest software maker.
"Basically all the developers at Microsoft had to go through training to completely revamp the way we do security," said Samona.
"Every developer has to take training within 60 days of joining Microsoft. There's also annual refresher courses you have to take. And [the book] Writing Secure Code by [Microsoft security experts] Michael Howard [and David LeBlanc] is required reading."
Samona added an internal Web site detailed the numbers of untrained employees, categorised by which vice-president they worked under. "We email that out around to everyone," he said, citing executive pride as a key motivator.
In addition, he said, each developer is paired up with a security advisor — known as a 'buddy'. This process of peer-checking helps keep code clean of problems. But developers also have to spend time on their own reviewing code, according to Samona.
Microsoft developers are also prohibited from using certain coding functions.
"About 100 or so functions are completely banned from being used," Samona said. "Tools like strcopy, strncopy that are really hard to get right, and inherently unsafe as they don't check buffer sizes."
The company has also started using a coding function known as the GS flag to compile its software. The flag helps stop the buffer overflow attacks which are among the most common security vulnerabilities.
"The GS flag was used to compile Windows XP Service Pack 2 and a portion of Server 2003" said Samona, noting the technique had minimised the impact of the destructive Blaster worm on the second. He said Microsoft had set the option on by default in Visual Studio 2005 in an effort to see it more widely used.
At the end of the development cycle, the process gets even more strict. "When we put an application up as a beta, we don't want to see a security vulnerability in three months," said Samona. "That can actually be part of the criteria before it's shipped."
Ultimately the SDL is aimed at not only creating more secure software, but also on providing cost controls. Ramona noted that the estimated cost to his company each time it issued a security alert for one of its products was around $100,000 (£55,200). "If you fix a security vulnerability early on, it's actually much, much cheaper than waiting down the road to fix it," he said.
And it looks as if the approach may spread to other organisations.
Microsoft Australia's Ben English — who recently shifted roles but was the local security chief for some time — told Builder UK sister site ZDNet Australia increasing numbers of customers were interested in adopting the SDL internally for their own software development. Details of the methodology were available for free from Microsoft's Web site, he said.
Renai LeMay travelled to Tech Ed as a guest of Microsoft.
Renai LeMay reported from Queensland for ZDNet Australia. For more ZDNet Australia stories, click here.
