Microsoft still has a long way to go with security, its senior security strategist Phil Reitinger told an impasse audience in Australia yesterday.
Speaking at the National Security Australia 2005 conference, Reitinger proclaimed it is of critical importance to the IT industry that developers are trained to write secure code, and said the war will be won in the development stage.
He also advocated Microsoft's Security Development Lifecycle (SDL) model to make the process easier. SDL is Microsoft's current software security quality assurance framework involving a series of a checks at each stage of development.
Reitinger noted current common criteria for development does not require software to be designed by a process that reduces vulnerabilities - something that Microsoft is responding to with the SDL.
"The stats so far have been pretty good. For Exchange Server 2000 Service Pack 3, which is more than just a patch, it's sort of like an uber set of software changes. Prior to the trustworthy computing strategy it had eight security bulletins - when the new service pack came out developed under the twc/sdl process it had two," Reitinger said of the new regime.
"Is this good enough, no, we need it to reduce. But it does show progress, that the process is working and we are reducing the number of vulnerabilities in code. The SDL process includes security milestones at every stage of the design process - as the software design starts a team of security people are assigned to the development team".
"This is now mandatory in Microsoft for products that pose a security risk," he continued. "That is, products that are used in the enterprise or products that are internet-based. IT may not be everything but due to the business, due to the critical infrastructure it's got to do this. One of the most critical issues that the IT industry as a whole needs to address is the rising count in vulnerabilities - those who run IT systems live this on a day to day basis."
The SDL has been used in Windows Server 2003, SQL Server 2000 SP3 and the upcoming release of Exchange Server 2003 SP2.
However, it was not used in the development of Windows SP2. Recently, Bill Gates drew attention to a recent Microsoft study that showed 64 percent of developers are not confident in their ability to write secure applications.
That same week, Microsoft issued a dozen security bulletins for various vulnerabilities, more than half relating to SP2. Further vulnerabilities were found in Windows Media Player, MSN Messenger, Internet Explorer and the Office Suite.