It’s been 10 years since I did any hands-on dev work. However working in the security space at Microsoft, “SDL” or the Security Development Lifecycle is very visible and obviously important to even those not directly involved in development.
We had the opportunity here in LA to share with customers how Microsoft took BillG’s edict that security should be our top priority, and over the past couple of years re-engineer our entire development process to implement this vision at every level - from design through to post-release maintenance.
An important component of SDL is post-release (ok, it’s close to my heart - I work there!). In Microsoft, the MSRC provides a formal mechanism to investigate reports of security vulnerabilities, to co-ordinate their remediation, and to publish both the technical response and communication and guidance around them. And an important aspect is that we always do a root-cause analysis, and feed this back into our SDL process to help us “catch” anything similar in the future.
It was a real eye-opener from me to hear a full spectrum of experiences from PDC attendees. I have heard from people with environments who sincerely have no interest in security, or at least don’t believe or understand it could be of importance to them - through to some people who have undergone very thorough security development lifecycle implementations from which we can all learn.
One thing you must say about Devs - they are an enthusiastic bunch! I must say that I’ve never felt such a buzz in any other conference. I’ve enjoyed getting to meet a lot of interesting folks and hear about some fascinating environments - but it’s a rather tired Simon who’s heading back to Redmond tonight.
For those still in LA, don’t forget that Friday we have a Security Symposium on the SDL - go and heckle Mike, Steve and co. for me ;-)
-Simon Conant
*This posting is provided “AS IS” with no warranties, and confers no rights.*