Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« Sitting Ducks In A Stagnant Quagmire | Main | Open, But Unclear »

September 23, 2008

Microsoft: Opening Their Development Practices

A good move, but more is needed.

Microsoft is opening its internally crafted Security Development Lifecycle (SDL) to customers through a variety of new initiatives and is starting a program for third-party consultancies called SDL Pro Network "through which Microsoft customers will be able to learn the secure development processes that the company has created in the last four years for developer training, defining design objectives and implementation of best practices." [Fisher].

This is good.

Microsoft is certainly helping the entire software community by releasing this information and it will undoubtedly help some write better, safer, more secure software. But there remains the option of hundreds of thousands of developers and software manufacturers to abstain from leveraging this or other related information. This is true for two reasons:

1. Software manufacturers choose independently of all others to what depth and degree to pursue secure development practices.

2. Security is still not part of market competition.

As much as Microsoft should be applauded for its efforts (I clapped when I heard the news), it must be remembered that Microsoft did not start its security efforts in earnest until after the company had attained 90 percent of the desktop market and some 40 percent of the server market. This is a model that many software manufacturers still rabidly pursue and can pursue because the market does not "see" security until the absence is all too clear.  Security is, and remains, a missing and invisible criterion in the market's beauty contest.

Microsoft is making a good move by releasing its program to others, but astute readers understand this does not alter current market incentives. Microsoft may be powerful, but alas it is not that powerful. The rush-to-the-mountaintop still means that software manufacturers who might be well-intentioned regarding security and who may adopt Microsoft's SDL guidance must compete with a majority of those that are free to avoid such a burden. 

And that, is what needs to change.

Posted on September 23, 2008 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a38834010534c1851b970b

Listed below are links to weblogs that reference Microsoft: Opening Their Development Practices:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.