When Security Isn’t the Last Consideration: How Microsoft’s Security Development Structures Apply to the Real-World with our Partner Itron
Successful criminals know that all security systems have weak points and they set about the ‘job’ of locating and exploiting them. And they know this because most security systems are after-the-fact considerations, or add-ons. The security system wasn’t customized in the design of the item being secured.
In a software context, there’s all sorts of add-ons that most people are familiar with, like virus detection systems and malware preventers. But those rely on continuous updates: virus-makers’ game plans change each day. Hackers are a more dangerous breed of thief as they are looking for that one cracked window to enter.
Microsoft has been a leader implementing a different approach to security with the Microsoft Security Development Lifecycle, a process that seeks to install security measures at every step of an applications’ evolution while its under construction. It’s a detailed process with 16 mandatory SDL security steps embedded for each progressive iteration.
The best news is that it works and we’re reminded about its value in a recent blog by Doug Cavit, of the Microsoft SDL team, in his May 16 blog here. Cavit notes how our partner Itron has successfully used SDL to demonstrate that their smart grid applications are secure because of the process they use in developing them. You can read case study we have published for download here.
Here’s a key quote from Cavit:
Particularly interesting is the fact that they have also extended the SDL principles into looking not just at software applications but also the entire system including the firmware and the hardware. Itron is already benefiting from their adoption of the SDL, as the process has given them a mechanism to communicate with customers who have been asking for proof of security in the products they buy. By showing conformity to a well-established and transparent process they can demonstrate the considerations and features they are building into their products to decrease vulnerabilities and to limit the severity of attacks.
Cavit’s blog is worth the read because he demonstrates how SDL has meant ROI for Itron. No small matter. – Jon C. Arnold