SEATTLE -- After five years, Windows Vista is on the home
stretch to being released. And thanks to Microsoft's Security
Development Lifecycle (SDL), it's expected to be the most secure
product the company has ever released.
Michael Howard, senior security program manager at Microsoft,
told attendees at last week's OWASP AppSec conference
in Seattle how the company's use of the SDL helped find and handle
security bugs throughout Vista's development so that most of the
security issues will have been eliminated by the time the operating
system is release.
"The point of the SDL is to squeeze bugs out throughout the
process," Howard said.
That process, he said, begins with prescriptive guidance to the
developers followed by mandatory education. In fact, Microsoft
requires yearly ongoing education training for engineers. It helps
raise awareness and set expectations for them, Howard said.
"You get the biggest bang for your buck from education," he
said. "Education reduces your chance of having security bugs.
That's because if you don't know what you're looking for, you're
not going to find it."
Next in the SDL are the "quality gates," Howard said. This is
where you can "stop the bleeding," he said. Using tools, developers
check for such things as banned APIs, banned crypto, buffer
overruns, weak ACLs and integer arithmetic issues.
 | | | | | The point of the Security
Development Lifecycle (SDL) is to squeeze bugs out throughout the
process.
Michael Howard
Senior security program
managerMicrosoft |
| | | | | |
| |
|
Howard pointed out the importance of the Standard Annotation
Language (SAL), which is used by static analysis tools. It adds
annotations to your code, which helps tools uncover harder-to-find
bugs.
Following those checks, comes central analysis. During this
phase, inter-procedural analysis, binary analysis and attack
surface analysis is conducted. This is also the time when banned
APIs and crypto are removed.
Fuzzing tools also come into play during central analysis.
"A huge quantity of bugs found in the wild are due to malformed
data," Howard said. "Fuzz testing can find these."
Howard stressed, however, that tools alone do not make software
secure. "They help scale the process and they help enforce policy,"
he said.
The process doesn't end with central analysis. Threat analysis
comes next. During this phase threat modelling comes into play. Use
these models to help find design issues, Howard said. If you find
them upfront rather than at the end of the development process, you
can avoid having to go back and rework the code, which can be a
labourious process.
"All components of Vista were threat-modelled," Howard said.
That meant 1,400 threat models.
"We've learned a great deal about making threat models easier to
create by non-security experts," he said. They have done this by
moving from threat trees to patterns of threats and using risk
heuristics instead of risk calculations.
If you give developers numbers, they can fudge them, Howard
said. Instead developers are given four levels to determine the
risk, ranging from critical to low. "Anything rated critical to
important, you fix. There's no argument," he said.
The last phase of the SDL is external review. At Microsoft, most
of the security work is done by Windows engineers, but the company
does hire outside companies to look at the code. The bugs found
here should be those that are really hard to find. Once again,
Howard stressed, the people involved have to know what to look for.
If they don't, "you'll have a warm fuzzy feeling thinking you're
secure when actually you have bugs," he said.
Despite the SDL, however, one has to assume code and design will
never be perfect, Howard said. And yet customers must still be
protected. How did the developers do that with Vista? Defences were
built in to protect the operating system from being corrupt, he
said.
"If all upfront engineering fails, we've incorporated four types
of defences in," Howard said. Those defences include service
hardening; isolation, in which users are no longer administrators
by default and integrity levels help contain damage; and memory
defences.
"What's critical about Vista is all the defences are there by
default," Howard said. "And these have almost no impact on
performance."
Despite all that work, Howard concedes that there could still be
security issues with Vista.
"There will be security bugs in Vista, but over time we'll see,"
he said. "I think a lot of our competitors are in denial of their
security problems whereas we're doing something about them. Are we
perfect? No. Are we making progress? You bet."