This month's huge Microsoft Patch Tuesday security update
proves the limits of the software company's programme for secure
software development, claims data security firm Imperva.
This week, Microsoft released a
record number of patches in its monthly update aimed at fixing
34 vulnerabilities.
"If Microsoft has to issue this many patches, then it is obvious
that its
Security Development Lifecycle (SDL), while important, is
imperfect," said Amichai Shulman, chief technology officer at
Imperva.
"No matter how much quality assurance you throw at the SDL
process, there is a limit to the effect you can have on the quality
of the software application.
The SDL is part of Microsoft's
Trustworthy Computing initiative adopted in 2002 to improve the
security of its products.
According to Shulman, what has happened to Microsoft is likely
to start happening to other software vendors, as more complex
applications are released.
The prudent use of an SDL can improve the quality of software,
and the security of the information its processing, but the threat
landscape is extremely dynamic, he said.
"Companies must have defensive technologies in place to combat
immediate threats that SDLs simply cannot cover," he said.