Thursday, January 26, 2006

Securing Windows, or a Sisyphean task

/. has an interesting interview with Mike Nash, Microsoft's Security VP:

A key thing that came out of our experience with Blaster in 2003 was something called the Security Development Lifecycle (SDL). Really the SDL is the formalization of work we were doing previously. Remember Blaster exploited a vulnerability in Windows Server 2003 -- a product that had been through a security push (it also affected Windows XP). When we did the post mortem on how the vulnerability happened, what we realized was that while there were huge improvements in the quality of our code between Windows 2000 and Windows Server 2003, there was still more work to do. In particular, we needed to have: 1) a documented, repeatable process, 2) internal education so that everyone involved in the product release process knew what to do, and 3) a checkpoint in the release process to make sure that this process was followed.

This type of process is key for software security. Let's see how much practical difference this makes to the next version of Windows, due later this year!

No comments: