Microsoft in November announced Microsoft Visual Studio 2005, Microsoft SQL Server 2005, and Microsoft BizTalk Server 2006 beta 2, the first Microsoft products to have undergone the complete Security Development Lifecycle (SDL) process from inception to release. Can you talk about the significance of this?
It's tremendously significant because now you're in a situation where you actually have the ability to not have to worry about doing this later on -- this is part of the process. It lowers the bar on how much time you have to spend training people because you've already got the tools built into it. I think it will revolutionize the way we see development done, when you have these sort of tools built into it. It's not an issue where you have to make this an afterthought; it's going to be part of the cycle from the very outset.
For the most part, in their own way they've got it. They may not be as public about it, or they may not be as visible, just because oftentimes their products aren't as targeted as much as Microsoft's are. There's a real impetus for Microsoft to make people know a lot more publicly. I know some of the companies that I either know the security officers very well or work with them, they're all doing some process similar to [Microsoft's SDL] to make sure their developers are doing the right thing.
I'm tremendously optimistic about the effort and the recognition that companies at all levels are putting into the fact that this is the sort of thing they've got to do. This is a fundamental sea change in the way we run we run business and development, with the tools being built into the development packages, with the developers being trained. They're being rated and rewarded for doing the right thing. That's going to change fundamentally the way we do things in the future.As part of the Visual Studio 2005 release, Microsoft is partnering with companies such as Fortify Software, of which you're a director. Are these automated tools, along with new capabilities in products such as Visual Studio 2005, addressing the majority of the security issues?
I'd say majority as opposed to all. Like anything else in this business it's an evolving thing, so when you solve a big chunk of the problem obviously you reduce a lot of things. Then the bad guys are very innovative; they look for different ways to find things, so as they get more creative it's quite possible that you'll see [the vendors] will have to modify some of the tools in the future as well. Tools like Fortify don't require the developer to be a security expert. Will this give them more power, or a false sense of security?
Absolutely. Nobody wants to be left in dust, especially when it comes to something as important as security. So consequently when you show leadership like that, people will be moving along a lot quicker to jump on the bandwagon. Notwithstanding that, it's just good business -- the way we have to operate in today's threat environment in the online world. No matter what companies like Microsoft or their partners do to improve application security, there will always be hackers who find vulnerabilities. Where has the industry made the most progress?
I think the most progress has been made in looking at best practices about securing software out of the box and in full implementation. For example, changing the way of everything turned on by default to everything turned off by default, so that you have to go in there and open up services that you need.
The other thing that has been key is the patching cycle -- working with partners, developing better automated patching processes, but also putting more structure around the development of the patching process. Now you know what to expect, you know when to expect it, and you can build that into your change control processes.And what areas are still most pressing?
People look at how to build things that are really cool, and those of us in security look at how we're going to break it. So there needs to be some more focus on, 'OK, we've done all the good coding stuff, now what are some other ways people can break or make it more dangerous and less effective?'
This article orignally appeared on SearchAppSecurity.com.