In the war against reducing vulnerabilities in software code Microsoft Senior Security Strategist Phil Reitinger admitted the company still had a long way to go, but vowed the war will be won in the development stage.
Speaking at the National Security Australia 2005 conference yesterday, Reitinger proclaimed it is of critical importance to the IT industry that developers are trained to write secure code.
Reitinger also advocated Microsoft's Security Development Lifecycle (SDL) model to make the process easier.
SDL is Microsoft's current software security quality assurance framework involving a series of a checks at each stage of development.
The internal process that involves a security team assigned to each unit in the development stage when writing code.
Reitinger noted current common criteria for development does not require software to be designed by a process that reduces vulnerabilities, to which Microsoft are responding through the SDL.
"The stats so far have been pretty good; for Exchange Server 2000 Service Pack 3, which is more than just a patch, its sort of like an uber set of software changes prior to [being developed] under the trustworthy computing strategy it had eight security bulletins - when the new service pack came out developed under the twc/sdl process it had two," Reitinger said of the new regime.
"Is this good enough, no, we need it to reduce. But it does show progress, that the process is working and we are reducing the number of vulnerabilities in code.
"The SDL process includes security milestones at every stage of the design process - as the software design starts a team of security people are assigned to the development team".
"This is now mandatory in Microsoft for products that pose a security risk; that is products that are used in the enterprise or products that are internet-based. IT may not be everything but due to the business, due to the critical infrastructure it's got to do this.
"One of the most critical issues that the IT industry as a whole needs to address is the rising count in vulnerabilities - those who run IT systems live this on a day to day basis."
The SDL has been used in Windows Server 2003 and SQL Server 2000 SP3.