Today, Microsoft “declares its conformity to ISO 27034-1”, announced Charney in his keynote address. The standard, he described, is a “flexible and adaptable framework for implementing and demonstrating secure development practices.”
Charney called on the audience, Government and vendors to also pledge their conformance to ISO 27034-1, which he considers “allows the even measurement of security.”
Charney spent the majority of his address analysing the evolution of the Secure Development Lifecycle since its birth in 2002. “Steve Lipner once said that the magic of the SDL isn’t that we can do secure development, but that we can apply it across multiple business divisions involving 36,000 engineers, and I always remember that as being so true.”
The Security Development lifecycle is built around five foundations: Policy; training; consulting; tooling; and measurement, Charney said. “The measurement is important not just to determine whether it is being done, but to find out whether it’s having the expected impact. Has running the tool made the product more secure?”
In the early days of the SDL, it was viewed within Microsoft “as a tax. Over time, it became apparent that customers were happier, and thus [SDL] became viewed as a competitive advantage and a value proposition. It was a seminal moment.”
As the SDL matured, customers stopped complaining about security, remembered Charney. “People had a perception of Microsoft code being way too vulnerable. Perception matters – it drives decisions.”
Evolution in attitudes within Microsoft was significant in other ways too. “In the old Microsoft model, developers were King. But it’s not appropriate for any developer – no matter how good – to make a decision or approve a release that might put the company at risk”, said Charney.
The other significant philosophical shift which Charney referred to is the acceptance that vulnerabilities will “never be reduced to zero. We tracked vulnerabilities and saw them reducing at a significant pace – admittedly aided by the fact that the original vulnerability numbers were very high – but knew we’d never get to zero. It’s just not possible”, he said.
Focus was thus shifted to defense in depth, mitigation, and “keeping people secure by using products securely. We need to make the internet as secure – or more secure – than the physical world, without promising complete security which we can’t keep.”