Many of us no doubt remember Chairman Bills now infamous 2002 memo to all Microsoft employees in which he put product security as the top priority for the company. Indeed, he went so far as to tell them that security concerns would trump new features in software products. Thats a significant and bold statement for any software development company and it is to be applauded. Great stuff, Bill!
But here it is 2007 and what has really changed? We saw some significant security advances in the XP family, most notably in service pack 2 (SP2). Numerous SP2 security enhancements were at last opt-out and not opt-in, meaning that, for the first time, security features such as the Windows firewall were enabled by default. Again, this is great stuff and should be loudly applauded. I should note that the Windows firewall was available prior to SP2, but many/most users were blissfully unaware of it because it wasnt enabled by default. (Boo hiss! Bad Microsoft!)
Mac vs. Linux: Which is More Secure?
Is the Mac Really More Secure than Windows?
IT In 2007: Budget and Trends
The Emerging Dell-Linux-Apple War|
But XP was released in late 2001, early 2002, so it couldnt have possibly benefited in any meaningful way from Mr. Gatess new security policy statement. An operating system takes years to develop, and no doubt the vast majority of the development that went into XP took place long before the developers had even the faintest hint of his intentions.
And then along comes Vista, some five or so years later. By all accounts, the code under Vistas hood was largely a thorough re-write of prior XP and Win-2000 code. And whats more, its the first full operating system that Microsoft developed from the ground up using its new Security Development Lifecycle (SDL).
Several papers and even books have been published detailing the different aspects of the SDL process. In mid-2006, Michael Howard and Steven Lipner published an excellent book on the SDL it should be read by anyone who develops software.
But, outside of a relatively small (but growing) cadre of software security practitioners, not a lot of folks even know the SDL exists. And yet, in a very real way, the SDL is at least as much on the line here as Vista itself.
And with the first Vista-affecting zero-day attack surfacing just last week, I really hope this isnt a harbinger of things to come. At least judging by the early accounts of this new security defect, it seems as though theres every reason to expect it should have been caught through the extensive fuzz testing thats an integral part of the SDLs security testing regimen. There are even early indicators that this flawor at least a substantially similar onewas reported to Microsoft in XP a couple years back.