Microsoft Secure Development Cycle expanded to critical infrastructure application level
Dear friends!
We would like to share with you the story of Steve Lipner, senior director for strategic planning and development of security technologies at Microsoft, who participated in the Security Development Conference 2012 in Washington on May 16, 2012:
“This morning, in Washington, I participated in the Security Development Conference 2012 , listening to different opinions from people from companies, government agencies, and academia who shared their experiences in adapting the Security Development Lifecycle. After the plenary session and some of the sessions I attended, today I saw a talk by Scot Charney, which reminded me of the early days when Microsoft, along with its customers, faced security threats that changed their credibility of products and services. Creating an SDL was an important step in combating these threats, and currently SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft products.
I see that an increasing number of organizations understand the value and importance of implementing safe development practices, and this inspires optimism in me that in the future software will be more secure than software that was developed earlier. I remember in 1997 when I took part in the RSA Security Conference, sitting in the lobby of the Mark Hopkins Hotel in San Francisco with several hundred people. Today, the annual RSA conference is one of the major industry events with more than 10,000 participants. I'm not sure that the Security Development Conference will follow the same trajectory, but I believe that the importance of secure development is increasing.
')
At the conference, we announced two new success stories in critical industrial scenarios, where SDL adaptation is beyond the borders of documented processes for traditional application providers. The Government of India and Itron together integrated the SDL into their processes, and today we share these success stories with the help of two published case studies:
• Government of India - The Government of India has identified the importance of a holistic integration of security and highlighted the key concept of including safe code creation practices, including them in a draft five-year national economic plan. The Indian leadership hopes that this is a significant step that will help improve the security of software and services created as part of targeted programs. The Indian Computer Threat Response Center (CERT-In), which is directly involved in security issues, has already taken important steps to implement SDL processes and included their further development in the five-year plan, using Microsoft SDL as a basis for security. In addition, the National Information Center, part of the Central Government of India, required training on SDL principles for more than 10,000 Indian computer security investigators. The government of India also urges to adapt similar practices for business, showing the great importance and role of security in the interaction of companies and government agencies. You can get additional information on the steps taken by the Government of India in the implementation example, which is published and available for download .
• Itron, Inc. - Itron is the leading provider of energy and water management and is used in more than 8,000 installations worldwide. More recently, this company has incorporated SDL into its development processes. With the increased level of threat to critical infrastructure, Itron realized that they needed to take active steps to protect the systems, which would enable the implementation of security mechanisms from the very beginning. The company introduced Microsoft SDL, and made these practices mandatory throughout the development of both software and hardware. Itron is currently one of the most experienced companies that have implemented SDL in the Smart Grid area. You can get additional information about the steps taken in the sample application which is available for download .
These examples show positive security developments for government structures and infrastructure and demonstrate some significant improvements in security. The security community does a lot of work to promote these ideas, which then help create safer software for everyone. We hope that the Security Development Conference 2012 will be the impetus for even more interesting implementation stories next year.
Together, as an industry, we are responsible for creating safe technologies that can be trusted. If your organization is considering adapting the SDL process, visit the Microsoft SDL website, where you can download free tools and documentation . We also created a network of consultants who will assist in the implementation of the SDL process. For more information, visit www.microsoft.com/sdl »
We would like to share with you the story of Steve Lipner, senior director for strategic planning and development of security technologies at Microsoft, who participated in the Security Development Conference 2012 in Washington on May 16, 2012:
“This morning, in Washington, I participated in the Security Development Conference 2012 , listening to different opinions from people from companies, government agencies, and academia who shared their experiences in adapting the Security Development Lifecycle. After the plenary session and some of the sessions I attended, today I saw a talk by Scot Charney, which reminded me of the early days when Microsoft, along with its customers, faced security threats that changed their credibility of products and services. Creating an SDL was an important step in combating these threats, and currently SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft products.
I see that an increasing number of organizations understand the value and importance of implementing safe development practices, and this inspires optimism in me that in the future software will be more secure than software that was developed earlier. I remember in 1997 when I took part in the RSA Security Conference, sitting in the lobby of the Mark Hopkins Hotel in San Francisco with several hundred people. Today, the annual RSA conference is one of the major industry events with more than 10,000 participants. I'm not sure that the Security Development Conference will follow the same trajectory, but I believe that the importance of secure development is increasing.
')
At the conference, we announced two new success stories in critical industrial scenarios, where SDL adaptation is beyond the borders of documented processes for traditional application providers. The Government of India and Itron together integrated the SDL into their processes, and today we share these success stories with the help of two published case studies:
• Government of India - The Government of India has identified the importance of a holistic integration of security and highlighted the key concept of including safe code creation practices, including them in a draft five-year national economic plan. The Indian leadership hopes that this is a significant step that will help improve the security of software and services created as part of targeted programs. The Indian Computer Threat Response Center (CERT-In), which is directly involved in security issues, has already taken important steps to implement SDL processes and included their further development in the five-year plan, using Microsoft SDL as a basis for security. In addition, the National Information Center, part of the Central Government of India, required training on SDL principles for more than 10,000 Indian computer security investigators. The government of India also urges to adapt similar practices for business, showing the great importance and role of security in the interaction of companies and government agencies. You can get additional information on the steps taken by the Government of India in the implementation example, which is published and available for download .
• Itron, Inc. - Itron is the leading provider of energy and water management and is used in more than 8,000 installations worldwide. More recently, this company has incorporated SDL into its development processes. With the increased level of threat to critical infrastructure, Itron realized that they needed to take active steps to protect the systems, which would enable the implementation of security mechanisms from the very beginning. The company introduced Microsoft SDL, and made these practices mandatory throughout the development of both software and hardware. Itron is currently one of the most experienced companies that have implemented SDL in the Smart Grid area. You can get additional information about the steps taken in the sample application which is available for download .
These examples show positive security developments for government structures and infrastructure and demonstrate some significant improvements in security. The security community does a lot of work to promote these ideas, which then help create safer software for everyone. We hope that the Security Development Conference 2012 will be the impetus for even more interesting implementation stories next year.
Together, as an industry, we are responsible for creating safe technologies that can be trusted. If your organization is considering adapting the SDL process, visit the Microsoft SDL website, where you can download free tools and documentation . We also created a network of consultants who will assist in the implementation of the SDL process. For more information, visit www.microsoft.com/sdl »
Source: https://habr.com/ru/post/145200/
All Articles