Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The greatest security story never told -- how Microsoft's SDL saved Windows

John E Dunn | March 10, 2014
Microsoft has launched a new website to "tell the untold story" of something it believes changed the history of Windows security and indeed Microsoft itself – the Software Development Lifecycle or plain ‘SDL' for short.

Microsoft has launched a new website to "tell the untold story" of something it believes changed the history of Windows security and indeed Microsoft itself - the Software Development Lifecycle or plain 'SDL' for short.

For those who have never heard of the SDL, or don't have the remotest idea why it might be important, the new site offers some refreshingly candid insights to change their minds.

Without buying into the hype, the SDL can still fairly be described as the single initiative that saved Redmond's bacon at a moment of huge uncertainty in 2002 and 2003. Featuring video interviews with some of its instigators and protagonists, the new site offers outsiders a summary of how and why Microsoft decided to stop being a software firm and become a software and security firm in order to battle the malware that was suddenly smashing into its software.

Few outside the firm knew of the crisis unfolding inside its campus but not everyone was surprised. Microsoft now traces the moment the penny dropped to the early hours of a summer morning in 2001, only weeks before it was due to launch Windows XP to OEMs.

"It was 2 a.m. on Saturday, July 13, 2001, when Microsoft's then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called "Code Red" was spreading at an astonishing rate. Code Red was a worm a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious."

Others arrived in the following two years; the Blaster worm, Nimda, Code Red II, MyDoom, Sasser, and on and on. To a world and a Microsoft not used to the notion of malware being a regular occurrence, this was all a big shock.

By January 2002, with attacks on its baby XP humbling the biggest software firm on earth, Bill Gates sent his famous Trustworthy Computing (TwC) memo to everyone at Microsoft. From now on, security was going to be at the root of everything and so help us God.

That turned into the SDL, and it was given priority one to the extent that it took over the whole 8,500-person Windows development team for much of that year and the next. Its ambition was to completely change the way Microsoft made software so that as few programming errors were made that had to be fixed once customers were involved; "security could not continue to be a retroactive exercise."

Users had also started complaining. Loudly.

"I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting. We actually had to bus in engineers," the site quotes its security VP Matt Thomlinson as saying.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.