SDL Lessons learned from MS07-017

Hi everyone this is Adrian Stone.


One question that I still get regularly on the .ANI case that was part of the MS07-017 bulletin by many people outside of Microsoft is “After all the work Microsoft did leveraging the Security Development Lifecycle, why didn’t it help catch this vulnerability in Windows Vista?” Honestly, that is a fair question and one I asked myself during the investigation, as I was the program manager responsible for the case. I decided to walk down the hall from my office to ask Michael Howard myself. 


Michael works on the Security Development Lifecycle (SDL) right along side the MSRC. The SDL group is a bunch of talented people who track down security issues we identify in our investigation and work to ensure that the knowledge gained from an issue goes toward making our future products more secure. The MSRC and the SDL teams work together on all the bulletins we release.


Something important to remember, and if you have ever had a chance to listen to Michael speak he often mentions, is that the Microsoft Security Response Center or any planned security response to an issue doesn’t necessarily mean that SDL is ineffective or not working. Actually, having a security response plan and the existence of the Microsoft Security Response Center is part of a healthy and robust implementation of SDL. No matter how good an implementation of an SDL is, the software will always be developed to be the most secure it can be for that point in time. Essentially, the threat landscape may change or transform in ways that one could not have accounted for and thus it will always be necessary to know which parts of the organization need to be mobilized to address the concerns and release an update.


Michael and others responsible for SDL recently launched the SDL blog and have an interesting post about the .ANI case that I think can help answer some of the questions you have posed to me about the matter. I can assure you that hearing from the SDL experts will be better than my attempts to explain the depth and comprehensiveness of the work they do. In any case, I encourage you to check out their blog.





*This posting is provided “AS IS” with no warranties, and confers no rights.*