Comment: Building Secure Software From the Inside Out

With the internet now a central part of the business world, cybercriminals can exploit software vulnerabilities to compromise networks and gain access to sensitive data and personal information
With the internet now a central part of the business world, cybercriminals can exploit software vulnerabilities to compromise networks and gain access to sensitive data and personal information
Steve Lipner, Microsoft Trustworthy Computing Group
Steve Lipner, Microsoft Trustworthy Computing Group

This year marked the 40th anniversary of the first report I wrote on software security. Throughout my time in the field, I’ve seen a lot of methods for building secure software that haven’t worked. However, I believe the industry has developed some genuinely effective methods with the goal of making software more safe and secure.

With the internet now a central part of the business world, cybercriminals can exploit software vulnerabilities to compromise networks and gain access to sensitive data and personal information. To keep customers safe, security and privacy need to be baked into every piece of software – from the very beginning of the development process – and software needs to evolve to be truly effective against online threats.

Most users have some kind of anti-virus software installed on their home or work computers, added ‘on top’ of the operating system, and other programs that attempt to actively protect their files and keep their personal details away from cybercriminals. But is this add-on approach the only way to help keep data safe? There’s definitely more the software industry can do.

One effective alternative to add-on security is the Security Development Lifecycle (SDL), which helps build software from the ground up with security and privacy in mind. Secure software development is a time-consuming process; by its very nature it is a complex undertaking that requires in-depth planning and considerable effort, so any way to weave security into the development process should make everyone’s life easier and software a lot safer. Failing to prioritize security from the outset of the development process can lead to a vicious circle of attacks and costly clean-ups.

What Is the SDL?

In the years prior to 2004, Microsoft executives realized that malicious software threats, combined with a number of notable security vulnerabilities in Microsoft products, were eroding public trust. In addition, each software development team within Microsoft approached security in a different way – some development teams put security at the center of each project, while others focused on features and functionality.

To galvanize Microsoft’s commitment to security, Bill Gates established Trustworthy Computing in 2002 to bring security to the forefront of the software development process at Microsoft. Between 2002 and 2004, we developed and honed a set of tools and processes designed to build security directly into software.

This early work ultimately led to the SDL, which is now an integral part of our product and online service development process. The SDL is a security assurance process that puts security at the heart of every phase of software development. The SDL has been applied to essentially every Microsoft product since 2004 and, ultimately, aims to enhance security in Microsoft products and services.

Security for All

The SDL has enabled us to improve the security and privacy of our products. We encourage everyone in the software industry – partners and competitors alike – to adopt similar secure development processes. Since 2006, we have shared our secure development processes, tools and services with others in the industry, and we’re happy to see a wide range of organizations and businesses adopting them.

The SDL has helped companies revolutionize the way they approach security within the development process. For example, in 2008, the MidAmerican Energy Company was the subject of a botnet attack that attempted to steal data from the company’s website and corporate network. MidAmerican began redeveloping the infected sites and code, but adopted the Microsoft SDL process to ensure that security moved from being an afterthought to a priority. With the SDL as a backbone for development, MidAmerican’s development efforts began with security. For more information, check out our case study on MidAmerican’s adoption of the SDL.

The Bottom Line

Cyberthreats are not going to go away, so it’s imperative for developers to fortify their products by making security a priority at every stage of the development lifecycle. However, IT decision-makers need to feel that any investment in security is sound and responds effectively to the sophistication of botnets and other online threats. Microsoft believes that IT decision-makers can make significant steps toward a more secure network if they adopt a secure development process such as the SDL. Applying the SDL allows users to benefit from real, quantifiable results – both for shoring up security and for improving finances.

We have just released our SDL Progress Report, which outlines the company’s progress in developing and improving the SDL over the past nine years and promotes adoption of secure development. Recent independent studies have shown that companies integrating security into their development process experience a clear return on investment, providing motivation for development teams to adopt the SDL.

The SDL Progress Report includes findings of new research on some of the world’s most popular applications, providing insight into how many of these applications take advantage of the security mitigations that are built into Windows operating systems. We hope the report provides you with beneficial information on lessons Microsoft learned about secure development and inspires you to examine how the SDL process, tools and technology could benefit your organization.


As the senior director of security engineering strategy in Microsoft Corp.’s Trustworthy Computing Group, Steve Lipner is responsible for Microsoft’s Security Development Lifecycle team, including the development of programs that provide improved product security and privacy to Microsoft customers. Additionally, Lipner is responsible for Microsoft’s engineering strategies related to the company’s End to End Trust initiative, aimed at extending Trustworthy Computing to the internet. Lipner has more than 35 years of experience as a researcher, development manager and general manager in information technology security, and is named as inventor on thirteen US patents in the field of computer and network security. He holds both an SB and SM degree from the Massachusetts Institute of Technology, and attended the Harvard Business School’s Program for Management Development.

What’s hot on Infosecurity Magazine?