You make your enhancements and apply the SDL to the components you change and over time it gets better.
Steve Lipner, senior director of security engineering strategy, Microsoft Trustworthy Computing.
Applications that support critical infrastructure, cloud computing and a variety of sensitive business processes can benefit if a formal layer of application security processes are applied to software development activities, Lipner said in an interview with SearchSecurity.com.
“For us for sure, the thing that drives vulnerabilities down and drives exploitability down is the [Microsoft SDL (Security Development Lifecycle)],” Lipner said. “We know that people keep looking to find vulnerabilities in software, but vulnerabilities are harder to exploit.”
But applying the SDL to systems and components that run critical infrastructure – in some cases deployed 40 years ago or more – is easier said than done. Legacy software and systems running critical infrastructure are still a serious challenge to address, Lipner said, but private sector companies that maintain them can take small steps to make a difference.
“We’re realistic enough to understand that it’s not always feasible,” he said. “Even if you are working on programs that are legacy and weren’t designed with security in mind, as you update those and maintain or enhance those, there are things that you are doing during development where you can apply the SDL incrementally."
Microsoft is showcasing its SDL at its first Security Development Conference, being held this week in Washington D.C. The event’s aim is to foster awareness around secure software development processes and focus attention on the SDL, the core application security principles adopted internally by Microsoft. Microsoft provides documentation of the framework and some tools that companies can use for free.
In conjunction with the event, the software maker highlighted organizations that are adopting the SDL. The broad adoption of the Microsoft SDL principles start with security training for developers and creates incremental processes for secure design, threat modeling, application code analysis and software fuzzing. It concludes with a formal incident response program.
Smart-meter maker adopts Microsoft SDL
Liberty Lake, Wash.-based Itron Inc., a maker of smart meters used by the electric, gas and water utilities, is using the Microsoft SDL. Lipner said the news is significant because the company’s devices are being deployed at homes and businesses in the millions as the country improves its energy infrastructure. The meters are part of the so-called “smart grid,” government-funded projects to modernize the nation’s electricity transmission and distribution system. A number of utility improvements are part of the Energy Independence and Security Act of 2007 (.pdf), which mandates a modernization plan.
Security researchers have demonstrated ways to exploit vulnerabilities in some smart meters, raising concern about the secure deployment of the devices. The smart grid is seen by some experts to be a challenge in maintaining SCADA security. Although somewhat controversial -- the state of Vermont has approved a law enabling residents to opt-out of smart meter adoption without facing fees from utility providers -- smart meter adoption is rising in the United States and Canada. About one-third of the electric meters in North America have smart meters in use today, Lipner said, and experts estimate growth should increase to about 85% within the next five to 10 years, and similar growth and adoption is expected in Europe. Lipner said Itron’s formal use of the Microsoft SDL is a real endorsement of the framework in a critical application space.
“Itron realized in 2006 that smart meter spec they were working on would involve putting a disconnect switch on every meter,” Lipner said. “If they didn’t get their security of the meter from the network right, that could wind up allowing somebody to take control of the grid, or of customers’ access to power.”
India adopts Microsoft SDL for government systems
The India Computer Emergency Response Team (CERT-In) is implementing a mandate for secure development practices as part of India’s national five-year economic plan. CERT-In is using the Microsoft SDL as a core tenant for application security. India’s National Informatics Center, part of the central government of India, is requiring training in SDL principles. CERT-In is training 10,000 computer forensics investigators using methods adopted from the SDL principles.
The Indian government is also encouraging its private sector to adopt Microsoft’s core SDL principles. Lipner said he is unaware of other CERTs adopting the SDL as directly and completely as India has. CERT-In has been using parts of SDL for more than five years. Microsoft has had a strong presence in India. In 2005 it invested more than $1 billion into its economy to boost e-governance and the country’s manufacturing sector.
“India industry is important globally because a lot of software development for organizations worldwide is actually done in India,” Lipner said. “The fact that the Indian CERT is focusing on SDL by using it as the basis of cybersecurity best practices and the fact that they’re building on SDL by encouraging private industry to adopt it as well is probably going to have global significance.”