m o c . 5 b u The SDL Progress Report h t i g Progress reducing software vulnerabilities and developing threat mitigations at Microsoft 2004 - 2010 The SDL Progress Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Authors m o c . 5 Copyright © 2011 Microsoft Corporation. All rights reserved. h t i g b u David Ladd – Microsoft Security Engineering Center Frank Simorjay – Microsoft Trustworthy Computing Georgeo Pulikkathara – Microsoft Trustworthy Computing Jeff Jones – Microsoft Trustworthy Computing Matt Miller – Microsoft Security Engineering Center Steve Lipner – Microsoft Security Engineering Center Tim Rains – Microsoft Trustworthy Computing 1 Foreword This year I reached a fairly major career milestone – the 40th anniversary of the first report I ever wrote on the security of software. As I reflected on that milestone, three things occurred to me: First, I’ve been in the business a long time! Second, a lot of approaches to building secure software just haven’t worked. Third, I believe the industry has now developed some effective approaches to building more secure software and I’m cautiously optimistic about the future. m o c . 5 I have spent most of the last eleven years working in the Trustworthy Computing group at Microsoft, baking security and privacy principles into the culture and software development processes of the company. A key part of Trustworthy Computing is the Security Development Lifecycle (SDL). The SDL is a security assurance process that focuses on software development and introduces security and privacy throughout all phases of the development process. The SDL has been a company-wide mandatory policy since 2004. It combines a holistic and practical approach to reducing the number and severity of vulnerabilities in Microsoft products and services, and thus limits the opportunities for attackers to compromise computers. We freely share the SDL with the software industry and development organizations, and we’re delighted to see that it has been adopted (sometimes in adapted form) by a variety of ISVs and IHVs, government agencies, and end users’ development organizations. b u h t i g Even before the SDL was formalized, we created a small team to research security vulnerabilities, their causes, and systematic ways of removing them or mitigating their effects. We have come to refer to this team and its activities as “security science.” Security science is the “science inside the SDL”. We study how computer systems are attacked and how such attacks can be defeated, and then develop cutting-edge tools and techniques that help make it harder to successfully attack software. When we’re convinced that those tools and techniques are reliable and effective, we require their application as part of the SDL. And we release them to the public so that our customers, partners, and even competitors can build more secure software. In this report you’ll learn about the evolution of the SDL and the progress we have made in using the SDL and security science to reduce vulnerabilities and mitigate 2 threats to Microsoft software and services. We believe that the SDL has helped us to protect Microsoft customers, and because of its broad adoption, we believe it has also helped to protect the wider community of Internet users. If you are an independent software vendor or other software developer and you’re already using the SDL, this report will provide you with some of the background of the SDL and how it has matured over the last six years. If you’re not yet using the SDL, we hope this report will help you understand why we believe it’s an effective and efficient process and encourage you to try the SDL in your own organization. Steve Lipner Senior Director of Security Engineering Strategy Trustworthy Computing Security, Microsoft m o c . 5 h t i g b u 3 Introduction Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of that software or the data that it processes. Some of the most severe vulnera