Microsoft is to publish some of the findings of its
Trustworthy Computing initiative to help user companies and
third-party developers build more reliable Windows
applications.
The aim of Trustworthy Computing is to improve the security of
Microsoft software by reducing the number of coding errors and bugs
that can be exploited in hacking attacks.
Microsoft is expected to unveil its best practices for
developing secure code in a book called Security Development
Lifecycle, due to be released in time for the US Tech Ed conference
in June.
Mike Nash, corporate vice-president for Microsoft’s Security
Technology Unit, said, “First and foremost is making sure we have
documented threat models. One of the things we are investing in is
more verification of quality.”
Nash said this was a major factor in the development of Windows
Vista. “We want to verify that these threat models have been
considered in the design of components.”
The threat models can then be used to run penetration testing on
the software components in the operating system to verify the
quality of the code.
Given the scope of the software, Nash said Microsoft was trying
to make sure its engineers could assess the security risks.
However, the approach extends beyond Microsoft. Along with the
book, Nash is planning to run more conferences on security. His
goal is to make sure the company’s partners and customers
understand the Microsoft security model.