In January 2002 Bill Gates sent out the renowned “Trustworthy Computing” memo where he announced that the company would shift their focus from adding new features and functionality to security and privacy. This was what led to the formulation of the Security Development Lifecycle (SDL). This process is now mandatory for all development at Microsoft with meaningful business risk and/or with access to sensitive data. The SDL led to great improvements of the number and severity of vulnerabilities in the products that went through the process.
When the vulnerabilities in the Operation System (OS) were diminished Microsoft noticed that the threats moved to the application layer. This led to them wanting to spread their model to application developers. One interesting target group is mid-sized Independent Software Vendors (ISVs), mainly because there are so many of them. Finding out what development process they use today and how they would benefit from and could be informed about the SDL is of interest for Microsoft.
Interviews with Microsoft evangelists, security experts and representatives from the target group has been preformed to get a better understanding of the situation today and how it could be improved. The interviews have resulted in a number of recommendations for how to adjust the SDL and the information concerning the process to meet mid-sized ISVs needs. A clear need for information, that is categorized and directed to the different business areas in the software industry, with specific recommendations and courses of action for each of them, has been identified.
The inter views have also resulted in a situation analysis of the security awareness at the target group today and the experts view of what activities in the SDL they would benefit from. The maturity level amongst the ISVs was found to be low and their own estimated vulnerability level was low. The estimated security awareness in the future on the other hand is high, this can be accounted for the upcoming migration to cloud services that is requested by the customers and the security issues this will lead to. One thing that is agreed upon that would be suitable to introduce is threat modeling. This requires little security knowledge yet leads to dramatic reduction in vulnerabilities. The experts have also shared improvements they think could be made on the SDL.
Source: Linköping University
Authors: Gunnbäck, Johannes | Mischel, Helena