I think I told this story thousands of times, and everybody knows it, but I will do it for the 1001st time now. When I joined Microsoft and became what is the Chief Security Advisor for Switzerland today, we had an airlift for Windows Server 2003. The Product Manager in Switzerland asked me to keynote the event as security became (and still is) one of the core pillars of our servers. Therefore, we decided to talk about a new initiative, then called Trustworthy Computing. I talked about it and said that Trustworthy Computing has to be an industry initiative and the Security Development Lifecycle something for everybody developing software. During the break, I was told that this remark is just a way to put the blame on the others instead of us – I am more convinced than ever: It has to be an industry initiative, no matter which development model you choose.
A few years later, we launched SAFECode in partnership with EMC, Juniper, SAP, and Symantec. The goal of SAFECode was and still is to enable experience sharing on how to develop secure code. There are more partners in the meantime – you can find them here.
A strange thing happened during the initial press conference. An analyst spoke up and said: “Well, with these companies coming together and sharing experience and information, don’t you just drive the attackers to the companies that are not a part of SAFECode?”. Well, so what? Any organization can join and/or leverage what we do, as everything on our Security Development Lifecycle is freely available, and SAFECode has published quite a number of papers on the subject, too. A lot of the tools, the methodology – everything. Free! Download it, use it, go for it!
The reason why I am writing this is the latest discussions around the Insecure Library Loading, where we published an advisory Insecure Library Loading Could Allow Remote Code Execution. To me it shows one of the biggest challenges in the industry. It is not about securing the platform. We invested a lot of energy in making Windows the most secure operating system out there. Besides applying SDL and a lot of other processes, we included technology like ASLR, DEP and others to make it harder to exploit vulnerabilities. We have probably the best incident response in the industry. But the applications remain a challenge. This is true on Windows (like this case shows) as well as on other platforms. Securing the OS is one thing. Securing the application ecosystem on top is a completely different story.
Therefore, there is a clear call to action: If you are developing software, go ahead and use any methodology to engineer security into your product from the ground up. Use SDL or any other process, which helps you to get there – but do something. If you want to get help to implement it, there is the SDL Pro Network, which can assist you (this is not for free).
It is simply irresponsible not to do it as soon as you application is used broader than “just” on your own PC.
Roger