Asia News

The irony of Microsoft security tools

Written by Writer on Friday, October 3rd, 2008

Builder

JAMES HEIN

This week I’d like to briefly revisit the subject of security and risk assessment.

A somewhat ironic announcement recently came from Microsoft. It wants to sell its secure development lifecycle process to the rest of the community. The result of a four year development process it wants to now sell you this process for development, of secure systems. No matter how you phrase it, it just seems wrong.

To be perfectly fair, Microsoft has written a lot of lines of code. It has different groups working on different pieces, and it integrates purchased applications and applets into its code sets. Microsoft is also a high profile company that the hackers and crackers want to try and break into, something that Apple is starting to find out about.

The first initiative to be made public will be the Microsoft SDL Threat Modelling Tool. This is a threat tracking tool that sounds a lot like tools I have used in the past. It involves flagging potential areas of threat, analysing threats and integrating this with bug tracking. So any source might be flagged as a potential security threat, depending on type for example. A dataflow would be flagged for SQL Injection and other tampering, while an external entity might be flagged for spoofing and authentication.

In essence, this is what people should have been doing for quite some time during the regular analysis cycle - it falls under the heading of risk assessment in most of the methodology tools I have used over the years.

At the same time Microsoft is reminding security departments that they need to keep the Net secure, a common goal for businesses. So Microsoft would love to see you use its tools and software products, for a price.

The next initiative will be the Microsoft SDL optimisation model. This tool will help outside agencies develop SDL processes of their own or to assist in an assessment of their existing models and programs.

Part three will be the Microsoft SDL Pro Network. This is a network of providers of security who can help an organisation work on specific issues, presumably identified during steps one and two. During a one year pilot programme, nine consultancies have been identified. If you want to check them out the list at the moment is Cigital, IOActive, iSEC Partners, Leviathan Security Group, Next Generation Security Software, Nruns Professionals, Security Innovation, Security University and Verizon Business.

At this point those who have been working in the IT development and analysis sides of the industry will be summarising this into some basic areas: risk assessment, a plan to deal with it and the resources required to do this. Tools would vary from scribbled notes on pieces of paper to rather sophisticated processes resulting in reams of paper including diagrams and charts.

What Microsoft is offering is its formal process of dealing with what everyone has or should have when building any system. Even you basic home web site will be subject to security attacks. External sources may wish to steal your customer database, even if it is just a list of friends for the weekend game of bridge.

Others may want to bring down your site because it does not conform to their view of reality. In past articles we have looked at security and how it can affect you. For a business-level Web-based system the stakes can be a lot higher but the approaches required are similar, just on a large scale.

The tool or tools you use to approach this subject can vary, and Microsoft’s set may have some nice new names but they are really just the same old things dressed up in new words. They may better integrate with collaboration for their existing Office suite but do no think that, to use a common phrase, they will be a “silver bullet.”

If Microsoft was really so good at security and securing its systems then why does it need to have at least monthly security updates, even for its latest products like Vista. Don’t be fooled by the marketing hype but at the same time don’t dismiss the need for the underlying requirements either.

Email: jclhein@gmail.com

News Topics Related Posts :

• Serial rapist gets suspended death penalty in Beijing (Saturday, November 22, 2008)
• Security revisited - protecting your session ID (Wednesday, October 22, 2008)
• MPAA sues RealNetworks (Wednesday, October 22, 2008)
• SIA offices covered up scam (Sunday, October 19, 2008)
• Crackdown on illegal residents (Thursday, October 16, 2008)
• Nationhood Academy To Inculcate Patriotism Among Youths (Wednesday, October 15, 2008)
• World consensus needed on melamine (Monday, October 13, 2008)
• Rounding up the Web 2.0 story (Sunday, October 12, 2008)
• Windows 7 is coming (Sunday, October 12, 2008)
• Work safety offenders to be put on blacklist (Thursday, October 9, 2008)
• Dealing with bloatware (Friday, October 3, 2008)
• COBOL skills are still in huge demand (Friday, October 3, 2008)
• Chrome begins to grow up (Friday, October 3, 2008)
• Making Money Online (Friday, October 3, 2008)
• Keep an eye on Web 2.0 data accuracy (Thursday, September 18, 2008)
• Acronym minefield ahead (Thursday, September 18, 2008)
• Singapore releases five members of Jemaah Islamiah terrorist network (Tuesday, September 16, 2008)
• Organisational change (Thursday, September 11, 2008)
• Web 2.0 is all about right mix of services (Wednesday, September 10, 2008)
• I am getting sick of the ‘Windows Immediately Required Update Service’ (Wednesday, September 10, 2008)

News Topics : Common Goal, Dataflow, Development Lifecycle, External Entity, Hackers And Crackers, Hackers Crackers, James Hein, Microsoft Security, Optimisation Model, Profile Company, Quite Some Time, Risk Assessment, Sdl, Secure Systems, Security Departments, Security Threat, Security Tools, Spoofing, Tampering, Time Microsoft