News Stay informed about the latest enterprise technology news and product updates.

Incorporation of security in development lifecycle a sea change

Top security expert Howard Schmidt has viewed IT security from nearly every angle -- from the private sector at eBay and Microsoft, where he co-founded Microsoft's Trustworthy Computer Security Strategies Group, and from the government side, where he headed cybersecurity initiatives for the current Bush administration. Schmidt, currently president and chief executive of R&H Security Consulting LLC in Issaquah, Wash., talked with recently about the significance of Microsoft's Security Development Lifecycle and the automated tools that are helping developers build security into their applications.

This is the second in a two-part inteview. Read part 1 of the interview in which Schmidt clarifies what he means when he says the development process should be held accountable for application security.

Microsoft in November announced Microsoft Visual Studio 2005, Microsoft SQL Server 2005, and Microsoft BizTalk Server 2006 beta 2, the first Microsoft products to have undergone the complete Security Development Lifecycle (SDL) process from inception to release. Can you talk about the significance of this?
It's tremendously significant because now you're in a situation where you actually have the ability to not have to worry about doing this later on -- this is part of the process. It lowers the bar on how much time you have to spend training people because you've already got the tools built into it. I think it will revolutionize the way we see development done, when you have these sort of tools built into it. It's not an issue where you have to make this an afterthought; it's going to be part of the cycle from the very outset.

Microsoft seems to be out front on this. Do you see the other big software companies going this way as well?
For the most part, in their own way they've got it. They may not be as public about it, or they may not be as visible, just because oftentimes their products aren't as targeted as much as Microsoft's are. There's a real impetus for Microsoft to make people know a lot more publicly. I know some of the companies that I either know the security officers very well or work with them, they're all doing some process similar to [Microsoft's SDL] to make sure their developers are doing the right thing.

I'm tremendously optimistic about the effort and the recognition that companies at all levels are putting into the fact that this is the sort of thing they've got to do. This is a fundamental sea change in the way we run we run business and development, with the tools being built into the development packages, with the developers being trained. They're being rated and rewarded for doing the right thing. That's going to change fundamentally the way we do things in the future.

As part of the Visual Studio 2005 release, Microsoft is partnering with companies such as Fortify Software, of which you're a director. Are these automated tools, along with new capabilities in products such as Visual Studio 2005, addressing the majority of the security issues?
I'd say majority as opposed to all. Like anything else in this business it's an evolving thing, so when you solve a big chunk of the problem obviously you reduce a lot of things. Then the bad guys are very innovative; they look for different ways to find things, so as they get more creative it's quite possible that you'll see [the vendors] will have to modify some of the tools in the future as well.

Tools like Fortify don't require the developer to be a security expert. Will this give them more power, or a false sense of security?
With automated tools, you don't have to be specialist in [security]; you have to be really good at coding.
Howard Schmidt
President and CEOR&H Security Consulting
I don't think it will be a false sense of security at all. When we start looking at IT operations, back in old days the security people were the ones that did the firewalls and the antivirus. Now that's being built into day-to-day operations. It's just the way you run an IT shop. It's the same thing with the security tools. With the automated tools, the sophisticated advances of the tools, you don't have to be specialist in this; you have to be really good at coding. And using the tools will automatically incorporate security into the work that you did.

Is this a good sign for the industry that Microsoft is reaching out to so many partners, such as Fortify, to address security issues?
Absolutely. Nobody wants to be left in dust, especially when it comes to something as important as security. So consequently when you show leadership like that, people will be moving along a lot quicker to jump on the bandwagon. Notwithstanding that, it's just good business -- the way we have to operate in today's threat environment in the online world.

No matter what companies like Microsoft or their partners do to improve application security, there will always be hackers who find vulnerabilities. Where has the industry made the most progress?
I think the most progress has been made in looking at best practices about securing software out of the box and in full implementation. For example, changing the way of everything turned on by default to everything turned off by default, so that you have to go in there and open up services that you need.

The other thing that has been key is the patching cycle -- working with partners, developing better automated patching processes, but also putting more structure around the development of the patching process. Now you know what to expect, you know when to expect it, and you can build that into your change control processes.

And what areas are still most pressing?
People look at how to build things that are really cool, and those of us in security look at how we're going to break it. So there needs to be some more focus on, 'OK, we've done all the good coding stuff, now what are some other ways people can break or make it more dangerous and less effective?'

This article orignally appeared on

Dig Deeper on Development Security for Lotus Notes Domino

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...