Comments
Increasingly sophisticated attacks and malicious threats in the online world are throwing up new posers for software vendors and users, each passing day. Microsoft Corporation's answer to that is an initiative called Trustworthy Computing — a collaborative effort aimed at creating and delivering secure, private, and reliable computing experiences for consumers.
The initiative is based on the principle that sensitive data and personal information need to be protected at any cost, and that the technology industry must keep a hawkish eye on best practices to ensure that “reliability” and “security” form the core of every product or service.
eWorld recently caught up with Steve Lipner, senior director of security engineering strategy, Microsoft, at the company's sprawling campus in Redmond, US. Lipner has over three decades of experience in IT security and is named as inventor on a dozen patents in the computer and network security space. Excerpts from an interview:
What is the Trustworthy Computing initiative all about?
When Trustworthy Computing (initiative) was created, the idea was that computers and technology ought to be as reliable, secure and trustworthy as any other infrastructure in a modern country. You ought to be able to count on it just like water or electricity or the safety of the roads. What we are trying to do is, get to a point where people use computers and IT with confidence and they use it without worrying. And that confidence needs to be justified.
Can you talk about the evolution of Microsoft's security development practices?
When we started out building the security programs at Microsoft, the first thing we did was to go the response process. But you can't build trustworthy software with response. And so what you have to do is to build trust and security into the software itself as it is being designed, implemented, and tested. And that is what we have done with the Security Development Lifecycle or SDL. It is to integrate security into every phase of the software development process, so what comes out at the other end is as secure as we would like it.
You lead the SDL team and have been responsible for defining Microsoft's SDL and for programs to make the SDL available to organisations beyond Microsoft. What is your approach to SDL?
SDL is a process that is developed by a relatively small team in the Trustworthy Computing organisation but it is applied by everyone who builds software in Microsoft.
It is a set of techniques for analysing software designs that we use during the early design process. It is a set of tools, and do's and don'ts that we use as we are writing codes…It is a set of tests and tools that we use during the verification process when the software is mostly finished but we try to see if there is any problem that needs to be fixed.
Also, it is an overview of the software that is conducted before it is shipped, to make sure that the product team has done a sufficient job of following the processes and rules that we defined. And it is a process that continuously improves as we learn more, either because of security responses of vulnerabilities or because we get smarter about making software better.
How do you quantify the outcomes? Has it led to a reduction in vulnerabilities?
We do look at the rights of vulnerability, basically reducing the number of security problems that we encountered between one product release and the next. We also look at severity of security problems, how bad are they. If there are security problems remaining, how hard is it for someone to take advantage of them— that is one of the things we want to do.
If there is a security problem in the software, we want to make it hard for you to exploit it. We also work more qualitatively in terms of what we are hearing from customers, what is the feedback, what are the customer satisfaction scores, when our executives talk to enterprise customers, are they hearing of complaints of security or are they hearing of other things like features.
And by all those metrics we have made progress with SDL. We are not perfect but we are certainly improving.
So, between Vista and Win 7, were there any specific outcomes that pointed to reduced vulnerabilities as a result of applying SDL?
What we seek to do is to reduce the number of security vulnerabilities from one version to the next by roughly a factor of two across a common time period. And we were able to do it between Vista and Windows 7 by looking at critical vulnerabilities. That's one measure. We have other products where they have come out much better than that. But we also make it harder to exploit remaining vulnerabilities. We are starting programs to get a better measure of those ….but we know we are starting to see those as well.
Software security goalpost seems to be shifting once again, with mobile malware and cloud computing. Your comments.
The Internet was a big point of change in terms of customer focus on security. Cloud and reliance on outside providers to host processing for enterprises, is another change and again re-emphasises the importance of security. Fundamental approaches to security have been the same for a long time but the environment changed and specifics changed, and we have to adapt to that.
So how will the Trustworthy Computing initiative be tweaked as businesses adapt to cloud computing environments?
The fundamentals of Trustworthy Computing and SDL certainly apply in the cloud.
One of the things that is different about the cloud compared with selling licensed software to customers (for) use on premises, is that we have to think about operational aspects…things like physical security, system administrator, what do you do with the audit trails…or the operational things that arise in the cloud, which end-users manage for themselves if they are not using cloud computing. And so, that is another set of factors and one that we are aware of and working very aggressively.
There is no simple way to describe the strategy (for cloud) but it is something like we apply the SDL during development and then we apply industry best practices, like ISO standards, for operational security of the cloud services that we operate. And those things, taken together, can prove effective in protecting customer information.
(This correspondent travelled to the US at Microsoft Corporation's invitation)
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.