Security Smposium @ the PDC Wrap-up

Well, the Professional Developer’s Conference in LA is over (ok, I admit it, I’m late, it finished ages ago) and the Security Symposium we held on the last day was a hit with attendees. I don’t know what experiences you’ve had pulling this kind of thing together, but it’s always pretty stressful. You have to make sure you have good material, get it reviewed, re-reviewed, reviewed by VPs. Not to mention making sure you have all the appropriate speakers lined up. That said, I always love doing these events because it’s great to chat with customers, give them some insight into what we’re up to and listen to their feedback as well.

What struck me this year is more attendees ‘get it’ and the average level of software development security expertise is rising amongst developers on our platforms. Very cool!

This year the symposium focused on only one thing, the Security Development Lifecycle; not just what we’re doing at Microsoft around the SDL, and the benefit (read: reduction in vulnerability quantity and severity) we’ve seen, but how other software developers can take advantage of the SDL to improve the security of their software. To this end, we decided to include a couple of guys who work closely with customers, Adam Barker and Graham Elliott. Both work for Microsoft Consulting in Australia, and have worked closely with customers in Australia. In fact, they dragged David Palmer along from WestPac Bank. It was interesting getting some insights from David as Australia is a huge target for phishing attacks because there are only four major banks in Oz and the country has a high on-line banking penetration; so if you email a dot-au email address, the chances are very good the lucky recipient thinks they need to change their banking password!

Steve Lipner kicked off the day with a short overview of the SDL, and then I outlined some of the new thinking we have around threat modeling. We’ve really taken this from being an arcane art to almost a science, and it’s proving very effective at finding security issues before code is committed.

Jerry Pournelle from Byte/DDJ came up to me after my session to discuss some of the threat analysis work he did during the 60’s on the Apollo project. Turns out NASA was concerned that perhaps the Russians would put boats off the Florida coast to shoot missiles at the Apollo rockets as they blasted off. They mitigated the threat by parking a bunch of US boats off the coast to watch for suspicious craft.

He posted an interesting and very readable summary of the Security Symposium at

Adam and Graham continued with more of a customer-focused overview of the SDL, and asked David Palmer to give his insight into Westpac’s dealings with the SDL. In short, they are starting to use the SDL in their internal development processes to create more secure software mainly because of Australian and US banking regulations.

The end session, after lunch, was the panel discussion. Panelists included yours truly as MC, Steve Lipner, David Litchfield, David Palmer and Greg Elkins from LexisNexis. Questions were written by members of the audience and passed to me to read and have panel members comment. The stickiest question was “Can you learn anything [to improve the SDL] from other software vendors?” This was sticky because most vendors don’t outline the process they go through so I passed on the question, as did Steve. I was going to pass on the question on behalf of the panel when David Litchfield piped up (quite energetically) that he had experience dealing with another large software vendor’s process and stated that the unnamed vendor could do with learning a lot from Microsoft’s SDL, not just the up-front secure design, coding and testing, but the security response side of things too. I’ll let you determine who that vendor is!

In all, it was a great day – we gave a bunch of “19 Sins” books away, which is always nice, and then I headed off the LAX for the flight back to Seattle. What’s really annoying is the wing of LAX that Alaska Airlines flies out of has no WiFi and very few power outlets 🙁 So I got to spend more time working on the next book! 🙂

Comments (3)

  1. Alan says:

    Might want a spell checker on the title, missing a ‘y’.

    And this link worked for me: but not the one you posted.

  2. raymond amegadjin says:

    Hi, . I found your weblog , when I was browsing through the web , looking for information for my project.

    Sorry I haven’t introduced myself, I m called Raymond Amegadjin 22 year old a student in Software engineering at NIIT (you may know that Indian world wide known in IT) Ghana (West Africa). I am in the 2 nd semester of the mastermind program, which deal with Sql (designing, implementing and administering), and we each quarter have a project.

    As I say earlier it’s in my quest of knowledge that I found your blog, I didn’t get the time to go through the various page ; So my project deal with windows 2003 server , I’m supposed to bring out the various factors like Security ,Reliability and Easy to use interface of this NOS(Network Operating System).

    We did in the 1rst semester a bit of networking that enabled us to have a global knowledge in Networking but not in deep.

    I wish you could be a help to me, if possible. I would like to continue my software Engineering program to master J2EE, I read in your blog . My hope is to be a DBA or DB architect.

    Hope hearing of you soon.