The importance of sharing security know-how

Deep dive into Microsoft’s gospel of the Secure Development Lifecycle.
  • AvantiKumar (Unknown Publication)
  • 25 June, 2010 04:11

In an ongoing effort to promote a more secure computing environment, software giant Microsoft has increased its efforts to share its in-house SDL [secure development lifecycle] practice throughout the industry. Adoption of this secure architecture would help reduce the number of vulnerabilities as well as promote continuous improvements, it said.

"SDL is secure by default and has a long history within the company," said Microsoft senior director, Trustworthy Computing Security [TwC], security engineering strategy, Steve Lipner, who has a 40-year career in information security.

"The push to greater security has achieved rapid improvements but security must be integrated into the software development lifecycle," said Lipner. "SDL comprises all the phases of creating, developing, and maintaining software and solutions: training, requirements, design, implementation, verification, release, and response."

He said Microsoft founder Bill Gates launched the Trustworthy Computing [TwC] initiative in 2002. "By April 2003, TwC received a push and became a security 'science'. Its mission was to identify and remove new classes of vulnerabilities as well as provide a security 'audit', in effect an independent review."

"Currently, Microsoft continues to expend considerable effort in sharing security knowledge through various programmes as well as online information sites such as MSRC [Microsoft Security Response Centre] bulletins, responsible for delivering the security updates every month," he said.

The Switzerland approach

"An example of more strategic industry relationships is SDL Outreach--or the Switzerland approach--which began in the 2004-2006 period," Lipner said. "This is when Microsoft began to share SDL information aggressively. This also included focus on popular third party downloads and expansion beyond the browser ecosystem."

"Applying SDL helps to secure our mutual customers, as well as to exchange best practices, and better equip the development community," he said. "The outreach programme is conducted under mutual NDAs [non-disclosure agreements] and is resourced with a team that comprises a developer/tester expert and relationship/engagement manager," he said. "Security is a neutral territory, hence, the term--the Switzerland approach."

One of the SDL partner firms, EMC-owned Archer Technologies, eGRC solution manager, Steve Schlarman, said its compliance solution followed the SDL framework.

"The Archer solution is about enabling and managing all three aspects of GRC-- governance, risk, compliance," said Schlarman. "Enterprise GRC has multiple aspects around the managing of risk across different domains such as finance, IT, operations and legal."

"Microsoft's SDL is translated into an authoritative source for benchmarking along with other Archer-provided Authoritative Sources," he said.

End-users helped to make Office 2010 stronger

Microsoft senior security programme manager, Brad Albrecht, said: "The SDL concept within the TwC approach helped to proactively prepare the Office 2010 product through driving security and privacy across Office client and server."

"Office now has features that include encryption, digital signatures, and protection technology," Albrecht said, adding that his team's role includes being a central source of provisioning validation tools.

"We found and fixed 16,000 security bugs within the Office development lifecycle through fuzzing techniques that dived deep through about 300 file formats," he said.

"Feedback from end-users helped to improve the body of our validation rules," he said. "This is critical as the ability to exploit vulnerabilities has become more sophisticated over the last few years."

"However, SDL continually raises the bar on security standards," he said. "A layered defence includes hardening and reducing the attack surface, mitigates potential exploits, and also helps to improve end-user experience."

Fuzzing techniques and automation tools

"The security community is becoming more interested in fuzzing techniques," Albrecht said. "Fuzzing first showed up in an academic paper in 1998, when 'white noise' was shown to crash programmes."

"File block [such as file formats in older Office] helped to reduce the attack surface," he said. "A configurable sandbox approach--a protected view--is a tool that gives further protection to the user through mitigating potential exploits, such as phishing e-mails."

"Security, or trust, decisions are supported by the sandbox viewer approach, such as Office Protected Viewer, which for example opens up any attachments from the Internet with the option to edit the opened document in the protected view," he said, adding that developing this tool took his team three years to build.

"Helps to avoid forcing choice between security and productivity," he said. "Since 2007, the PowerPoint gatekeeper validation process blocked 100 per cent of vulnerabilities during the SDL process."

"There have been hundreds of thousands of downloads of the released SDL tools," said Microsoft security programme manager, Bryan Sullivan. "These cover SDL threat modelling to help in the design phase, as well as Web protection library in the implementation stage, and MiniFuzz and Binscope to help in the verification phase."

"Automation tools make the SDL possible," said Sullivan. "For instance, tools such as MSF- Agile + SDL Process Template, which help to manage the entire SDL process."

During a demonstration of the threat modelling tool, Sullivan added: "People, no matter how expert they may be, cannot scale to the size of a company as big as Microsoft, so it is useful to use Microsoft tools that help to meet the security needs of the developer community."

"Threats can be classified into STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege," he said.

"There is a library to use while you develop your application--a Web protection library--to help developers meet security standards during development," said Sullivan. "In addition, compiler and linker defences, such as before and after Buffer Security Check (/GS), help to separate code from data, which builds greater protection against hacking attacks."

Microsoft's role in Asia

IDC ASEAN research manager, Roger Ling, said: "IDC sees two paradigms, which continue to exist and best represent the current scenario. First of which is the cat and mouse paradox, which sees security vendors addressing newly discovered security threats, the standard and success of which is measured by the duration it takes to address avoiding and isolating possible outbreaks."

"Secondly, there is the gap that exists between more advanced users who continue to leverage on security vendors to improve security posture and the remaining who focus on maintaining the status quo," said Ling.

"As a global technology vendor with a solution line ranging from operating systems, office productivity, business solutions, server solutions, consumer applications and others, Microsoft is uniquely positioned to support the growth of information security," he said.

"IDC sees Microsoft playing a pivotal role in bridging the paradigm gap," said Ling. "For example, in the area of development, Microsoft can play a stronger role away from the cat and mouse paradigm and into providing developers with tools to develop more secure applications. From an angle of awareness, education will continue to play a pivotal role and given the mass appeal of its product line, Microsoft should continue to propagate its security messaging across. On top of these, industry developments like cloud computing and social networking continue to present an opening for vendors like Microsoft to address security concerns."

"Microsoft has come a long way since it launched its 'Trustworthy Computing' initiative in January 2002," said Ovum principal analyst, Graham Titterington. "It has always had a difficulty in walking the line between playing its full role in the fight to secure the IT environment and avoiding exploiting monopolistic powers."

"This conflict has increased as it has developed its commercial security product offerings," said Titterington. "It has entered most of the areas of activity it can. Its main opportunity now is to use all the data it is starting to collect through its Security Essentials product (the free anti-malware product) to maximum advantage for the industry as a whole."

"In future, the industry, including Microsoft, needs to work more closely with ISPs [internet service providers] to identify and disconnect malware centres, and work more with law enforcement particularly in respect of disrupting the cash flows to the criminal gangs perpetrating malware-based fraud," he said.

Titterington said that governments and corporates need to strengthen their defences against cyber attacks, including cyber espionage, to increase the protection of critical national infrastructure, and Microsoft may well have a significant role in this arena.