Microsoft has launched a new website to “tell the untold story” of something it believes changed the history of Windows security and indeed Microsoft itself – the Security Development Lifecycle or plain ‘SDL’ for short.
For those who have never heard of the SDL, or don't have the remotest idea why it might be important, the new site offers some refreshingly candid insights to change their minds.
Without buying into the hype, the SDL can still fairly be described as the single initiative that saved Redmond's bacon at a moment of huge uncertainty in 2002 and 2003. Featuring video interviews with some of its instigators and protagonists, the new site offers outsiders a summary of how and why Microsoft decided to stop being a software firm and become a software and security firm in order to battle the malware that was suddenly smashing into its software.
Few outside the firm knew of the crisis unfolding inside its campus but not everyone was surprised. Microsoft now traces the moment the penny dropped to the early hours of a summer morning in 2001, only weeks before it was due to launch Windows XP to OEMs.
“It was 2 a.m. on Saturday, July 13, 2001, when Microsoft’s then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called “Code Red” was spreading at an astonishing rate. Code Red was a worm — a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious.”
Others arrived in the following two years; the Blaster worm, Nimda, Code Red II, MyDoom, Sasser, and on and on. To a world and a Microsoft not used to the notion of malware being a regular occurrence, this was all a big shock.
By January 2002, with attacks on its baby XP humbling the biggest software firm on earth, Bill Gates sent his famous Trustworthy Computing (TwC) memo to everyone at Microsoft. From now on, security was going to be at the root of everything and so help us God.
That turned into the SDL, and it was given priority one to the extent that it took over the whole 8,500-person Windows development team for much of that year and the next. Its ambition was to completely change the way Microsoft made software so that as few programming errors were made that had to be fixed once customers were involved; “security could not continue to be a retroactive exercise.”
Users had also started complaining. Loudly.
“I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting. We actually had to bus in engineers,” the site quotes its security VP Matt Thomlinson as saying.
The fruit of the SDL was XP’s first Service Pack in 2002, followed up by the even more fundamental security overhaul of SP2 in 2004. By then, XP had been equipped with a software firewall, an almost unthinkable feature for an OS three years eariler.
It’s arguable that despite the undoubted gains of the SDL since then, that the firm has yet to fully recover from the trauma of the period. Windows development has seemed less and less certain ever since, following up XP with the flawed Vista and more recent Windows 8 near-debacle. Microsoft still does operating systems but it’s not clear that all its users do.
Still, the SDL programme has proved hugely influential even if it’s not well known outside tech circles. It is now baked into everything. It has also influenced many other software houses and many have versions of the SDL of their own, many modelled on Microsoft’s published framework on how to run secure development.
Whatever mis-steps Microsoft has made in the last decade, security has turned into a bit of a success story right down to the firm’s pioneering and hugely important Digital Crimes Unit (DCU) that conducts the forensics necessary to track down the people who write malware in their caves. Both the SDL and DCU are seen as world leaders.
So let’s hear of for Redmond, the software giant that launched an operating system years behind the criminals but somehow clawed itself back from disaster. Most other firms would have wilted but somehow Gates's memo rallied the cubicle army.