Menu
The greatest security story never told - how Microsoft's SDL saved Windows

The greatest security story never told - how Microsoft's SDL saved Windows

"We actually had to bus in engineers."

Microsoft has launched a new website to "tell the untold story" of something it believes changed the history of Windows security and indeed Microsoft itself - the Software Development Lifecycle or plain 'SDL' for short.

For those who have never heard of the SDL, or don't have the remotest idea why it might be important, the new site offers some refreshingly candid insights to change their minds.

Without buying into the hype, the SDL can still fairly be described as the single initiative that saved Redmond's bacon at a moment of huge uncertainty in 2002 and 2003. Featuring video interviews with some of its instigators and protagonists, the new site offers outsiders a summary of how and why Microsoft decided to stop being a software firm and become a software and security firm in order to battle the malware that was suddenly smashing into its software.

Few outside the firm knew of the crisis unfolding inside its campus but not everyone was surprised. Microsoft now traces the moment the penny dropped to the early hours of a summer morning in 2001, only weeks before it was due to launch Windows XP to OEMs.

"It was 2 a.m. on Saturday, July 13, 2001, when Microsoft's then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called "Code Red" was spreading at an astonishing rate. Code Red was a worm a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious."

Others arrived in the following two years; the Blaster worm, Nimda, Code Red II, MyDoom, Sasser, and on and on. To a world and a Microsoft not used to the notion of malware being a regular occurrence, this was all a big shock.

By January 2002, with attacks on its baby XP humbling the biggest software firm on earth, Bill Gates sent his famous Trustworthy Computing (TwC) memo to everyone at Microsoft. From now on, security was going to be at the root of everything and so help us God.

That turned into the SDL, and it was given priority one to the extent that it took over the whole 8,500-person Windows development team for much of that year and the next. Its ambition was to completely change the way Microsoft made software so that as few programming errors were made that had to be fixed once customers were involved; "security could not continue to be a retroactive exercise."

Users had also started complaining. Loudly.

"I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting. We actually had to bus in engineers," the site quotes its security VP Matt Thomlinson as saying.

The fruit of the SDL was XP's first Service Pack in 2002, followed up by the even more fundamental security overhaul of SP2 in 2004. By then, XP had been equipped with a software firewall, an almost unthinkable feature for an OS three years eariler.

It's arguable that despite the undoubted gains of the SDL since then, that the firm has yet to fully recover from the trauma of the period. Windows development has seemed less and less certain ever since, following up XP with the flawed Vista and more recent Windows 8 near-debacle. Microsoft still does operating systems but it's not clear that all its users do.

Still, the SDL programme has proved hugely influential even if it's not well known outside tech circles. It is now baked into everything. It has also influenced many other software houses and many have versions of the SDL of their own, many modelled on Microsoft's published framework on how to run secure development.

Whatever mis-steps Microsoft has made in the last decade, security has turned into a bit of a success story right down to the firm's pioneering and hugely important Digital Crimes Unit (DCU) that conducts the forensics necessary to track down the people who write malware in their caves. Both the SDL and DCU are seen as world leaders.

So let's hear of for Redmond, the software giant that launched an operating system years behind the criminals but somehow clawed itself back from disaster. Most other firms would have wilted but somehow Gates's memo rallied the cubicle army.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Personal TechMicrosoftsecuritySDL

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments