Microsoft is to publish some of the findings of its Trustworthy Computing initiative to help user companies and third-party developers build more reliable Windows applications.
The aim of Trustworthy Computing is to improve the security of Microsoft software by reducing the number of coding errors and bugs that can be exploited in hacking attacks.
Microsoft is expected to unveil its best practices for developing secure code in a book called Security Development Lifecycle, due to be released in time for the US Tech Ed conference in June.
Mike Nash, corporate vice-president for Microsoft’s Security Technology Unit, said, “First and foremost is making sure we have documented threat models. One of the things we are investing in is more verification of quality.”
Nash said this was a major factor in the development of Windows Vista. “We want to verify that these threat models have been considered in the design of components.”
The threat models can then be used to run penetration testing on the software components in the operating system to verify the quality of the code.
Given the scope of the software, Nash said Microsoft was trying to make sure its engineers could assess the security risks.
However, the approach extends beyond Microsoft. Along with the book, Nash is planning to run more conferences on security. His goal is to make sure the company’s partners and customers understand the Microsoft security model.