Lab Notes

Microsoft has documented their "Trustworthy Computing Security Development Lifecycle", the "process that Microsoft has adopted for the development of software that needs to withstand malicious attack" (doesn't all software need to withstand malicious attack?). This paper details the changes that Microsoft has made to its normal design/program/test/release software development cycle to ensure the security of their products.

There's very few software companies that take security as seriously as Microsoft does today. They've heard and understood the criticism of their products, and it's great that they've developed this detailed development methodology. That said, I think that their conclusions regarding the SDL's effectiveness may be overblown. For instance, they cite going from 62 critical bugs in Windows 2000 Server to 24 in Windows Server 2003. I wonder how much of this reduction is due to their high falutin' development plans and how much is due simply to avoiding buffer overflows. Searching their source code and replacing strcpy() with safestrcpy() probably accounted for a number of these bug fixes. I particularly like the SQL Server chart, pre- and post-SDL — "after we fixed a bunch of bugs, there were fewer bugs!" Well, duh!