Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘SAFECode’

Microsoft SDL Progresses and Demonstrates Software Assurance Leadership

Wednesday, February 3rd, 2010

Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.

Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify, and Veracode.

This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider, I think it is important for several reasons:

  1. It is easy to blame Microsoft for security problems, but these accusations are often based on history, not present reality. The fact is that all of Microsoft’s products go through SDL and Microsoft is promoting SDL on its own dime. Yes, other software vendors have their own software assurance processes and tools, but no other vendor is as open about its own SDL or working as hard to stress the importance of secure software development.
  2. SDL is growing on all fronts. The model itself, adaptation to different development models, integration with development and testing tools, and more and more professional services firms. Again, Microsoft isn’t making money on SDL, but it continues to invest here.
  3. If you don’t know SDL, you will soon. Whether it is Microsoft’s SDL or another similar model, secure code development will become a standard in the near future. Why? As the Federal Government embraces cyber supply chain assurance, you won’t be able to sell ANY technology products to the government unless you adhere to an SDL model. The same will hold true in other critical infrastructure industries like financial services, telecommunications, utilities, etc.

I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.

One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit SAFECode.org, an organization focused on Software Assurance.

Security Development Lifecycle (SDL) for Agile Development

Tuesday, November 10th, 2009

While all of the recent Microsoft buzz centers on Windows 7, the company made a small but important announcement this week. At TechEd Europe in Germany, Microsoft announced that it has adapted its SDL model to accommodate Agile software development.

This announcement needs a bit of clarification. First, Agile software development is an interative software development model based upon teamwork, cooperation, and communication around specific software functionality. The goal here is rapid application development of specific “chunks” of software functionality rather than the massive, multi-phased software development models of the past. These principles were adapted from successful manufacturing processes such as Six Sigma and the Toyota 5S methodology.

Since its inception in 2001, the Agile development model has gained popularity as it fits well with today’s web-based applications. It is worth noting, however, that there is no single Agile development model. This makes sense as Agile’s focus on teamwork and communication leaves plenty of room for improvisation.

While Agile development has demonstrated its ROI value, the emphasis was always on rapid application and not necessarily on security. Recognizing this deficiency, Microsoft jumped in by adapting its SDL model for Agile. Since the Agile model does not have distinct phases and features rapid release cycles, Microsoft broke its process-oriented SDL into “buckets” of activities. Some of these activities must be done for each Agile project (ex. threat modeling), some must be done once (ex. update compilers), and some must be done on a case-by-case basis (ex. Fuzz testing). Microsoft produced a number of tools and papers to help developers align their Agile development processes to each of these buckets. Ultimately, all of the goodness of SDL remains intact, but developers can customize it for their own needs.

This may seem deep in the technical weeds, but I believe this is an important announcement because:

  1. Agile development is widespread. Microsoft uses it internally, so aligning Agile with SDL was an important corporate goal.
  2. Software security is generally very poor — especially around web applications.
  3. Software assurance is at the heart of many cybersecurity improvement plans such as the Cyber Supply Chain Assurance Model being studied and promoted by SAIC and SAFECode.org.

It is also worth mentioning that SDL is not a profit center for Microsoft. The SDL model creation, development, support, and distribution costs Microsoft a lot of dough each year.

I hope this announcement gets the attention it deserves, especially with Computer Science programs, developer communities, security professionals, and public policy makers. Software security is everybody’s business.

Cybersecurity Supply Chain Management

Wednesday, October 28th, 2009

While travelling by train from Boston to NYC, I read two very thought-provoking papers on cybersecurity. Both are about a concept known as the cybersecurity supply chain. At a fundamental level, this thesis states that security is only as good as the whole supply chain process. Therefore, large organization must check the security of their suppliers, the integrity of their products, and the end-to-end systems created by the amalgamation of the piece parts.

I’ve long preached a similar concept called business process security but the cybersecurity supply chain extends a bit further than my model.

The first paper titled, “Software Supply Chain Integrity Framework,” can be downloaded from the SAFECode site, an organization dedicated to software assurance composed of Adobe (ADBE), EMC (EMC), Juniper Networks (JNPR), Microsoft (MSFT), Nokia (NOK), SAP (SAP), and Symantec (SYMC).

The second paper titled, “Building a Cyber Supply Chain Assurance Reference Model,” can be downloaded from this link (http://www.saic.com/cyber-supply-chain/?intcmp=hs_cybersupplychain) on the SAIC (SAI) site.

Very interesting reading for CISOs or technology vendors working with large organizations of government agencies.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site