Microsoft’s program to ensure that developers build secure code is showing early signs of success, according to a senior executive from the company. The Security Development Lifecycle program is one of the results of Microsoft’s announcement outlining concentration on security and secure development.
“It´s showing early signs of results for us,” Microsoft product manager Rick Samona. “Server 2003 went through the SDL, and 2000 did not,” he said. “The number of critical reports and security vulnerabilities has been reduced dramatically.”
According to Microsoft, all its server and commercial products had to go through the SDL and the different in security was remarkable.
The program also required from all the developers at Microsoft to go through training to completely revamp how they deal with secure coding. According to Samona, each developer had to take a training course and is required to read Writing Secure Code. In addition, Microsoft banned nearly 100 unsafe functions from the developers’ arsenal.
“When we put an application up as a beta, we don´t want to see security vulnerability in three months,” said Samona. “That can actually be part of the criteria before it´s shipped.”
The SDL program, in addition to ensuring secure software, is aimed to help with cost control. “If you fix a security vulnerability early on, it´s actually much, much cheaper than waiting down the road to fix it,” said Samona.