Archive for the Security Development Lifecycle Category

10 years of building trust

Posted in Cyber Security, Security, Security Development Lifecycle, TWC on 12 Jan 2012 by Stuart Aston


When I joined Microsoft  the world was a different place, we were not always connected and always on, and computer threats were a curiosity for the majority.  That started to evolve rapidly and  10 years ago today Bill Gates published his memo on Trustworthy Computing; he laid out the  change of direction we would take as a company placing security and trustworthiness  as integral component of the way in which we build software and delivers services to our customers. 

Over that 10 years we have changed and have evolved, SDL is not only an integral component of developing software inside Microsoft, but many  partners and developers around the world. We have made significant contributions to improve Security but also in Privacy, Reliability and Business Practices.  Newer software continues to be safer software as we have shown in our Security Intelligence Reports as a result of our efforts in SDL.  Microsoft Security Essentials is freely available to those who desire to use it to protect their computers.

In the last 10 years we have learnt a lot and built a trust with many of our customers, and trust is one of the greatest assets that a company can have. But to maintain that trust, Trustworthiness must continue to evolve and grow to deal with the changing environment, as people place a greater reliance on computing and it becomes entwined with every aspect of our daily lives, we must continue to advance trust in technology.

TWC NextBut, this is not something that anyone technology or individual or  company can accomplish alone; we will continue to work with government and industry partners, on combating cyber criminals through the work of the Digital Crimes Unit a their work on botnet takedowns and PhotoDNA, but, it is only achievable by working with partners and working together to make the internet a safer place.

How can you celebrate it ?  I think that we can best celebrate an event by embracing it:

-Moving to x64 based architectures as part of a defence in depth strategy

-Moving to the most recent version of software that you can and keeping it patched and up to date

-Employing SDL in your development practices, or looking for behaviours like SDL in software you procure for your business

-Educate your users and developers about best practice for them, and acceptable risk for you

-Educate your family on how to be safe online.        

Trustworthy computing is more important today than it was 10 years ago, and we remain committed to delivering it, with our partners.


Security and Open Source

Posted in Open Source, Security, Security Development Lifecycle on 18 Nov 2010 by Stuart Aston

A question I get a lot is; “Is Open Source more or less secure than Microsoft/Commercial Software”?

The question always surprises me, and still does because, I wonder why would I or any other security professional equate the mechanism by which software is procured, to intrinsically have any impact on the security of the code that is actually written.

It is perfectly possible to write “secure” code and then licence it via any open source licencing agreement, it is also perfectly possible  to write “secure” code and then licence it via a commercial licence, the inverse in both cases is equally true.

Complex software will always have problems, some of those problems will be vulnerabilities that are exploitable by attackers, and the licencing model does not really make much difference.

What does make a difference is the process that wraps the development activity.  A process that includes security as part of the lifecycle of the product from inception to decommissioning; in Microsoft we call that process the Security Development Lifecycle. What matters is that there is a mechanism to deal with security incidents, the SSIRP, and that there is a clear channel of contact to report a security issue.

If you have those things and you train your developers, program managers and testers on writing secure code, on what good and bad coding practice looks like and invest in tools to check for known “bad” practice and then you will produce a product with improving security characteristics.

It will never be perfect, but, it can be better:



Clearly writing secure code that has defence in depth as a core measure, does not address supply chain integrity issues, but, again this is about “process”  and rigour of the application of that process, and I know many organisations that develop open source software and commercial software with equal rigour in regards to their supply chain.

Microsoft produces both commercial and open source software, but, we do not vary our standards from one to another.

And the licencing model? It’s just that; a mechanism by which the IP of the developer is recognised, protected  and in some cases rewarded financially.

%d bloggers like this: