Microsoft hosts OEM partners for a crash-course in SDL (Day Two)


Day two of the SDL training session for OEMs went well.  James Whittaker led the discussion for the first half of the morning, discussing security testing.  His main point was that testing for security requires a diffferent mind set – you still have to rely on conventional testing techniques, but you also have to take it to the next level – expect the unexpected and don’t be bound by conventional wisdom.  He demonstrated a number of interesting techniques and tools to uncover security flaws.  The OEM attendees were engaged, asking questions, challenging a number of points, and providing feedback to us on how testing is done in their organizations. Second half of the day we switched focus to Bill Shihara – he spoke on two subjects; the role of the security advisor (security experts from our team that act in a mentor/liaison role with the product teams) and a discussion of the tools that are publicly available and used as part of the SDL.
 
We had a nice surprise at the end of the day – Jim Allchin took time out from his schedule came over to chat with the attendees and to thank them for their participation. This was a non-trivial effort considering we RTM’d Vista yesterday.  Jim was very direct; there has been a lot of thought and effort focused on the security for Vista, but its crucial for Microsoft and the industry leaders in the room to work together to secure the ecosystem.  He asked that the partners demand better security and reliability from themselves and from their ISV and hardware component suppliers.   Another good day…  The last sessions will be covering security response (Mike Reavey) a discussion of our recently published privacy guidelines for developers (Tina Knutson and Sue Glueck) and a final wrap up discussion.

Comments (6)

  1. If you follow the same blogs that I do, you’re probably already aware of the fact that Microsoft is hosting a series of discussions with their OEM partners about the SDL (Security Development Lifecycle.) First of all, let me say that I’m seriously jealous

  2. Are there plans for similar crash-courses in SDL for other software development companies? (I’m trying similar question for second time). 🙂

    Congratulations for your great book "The Security Development Lifecycle".

  3. Dragan, we’re going to mull over how the OEM event went, to see what we do next. The verbal feedback so far has been nothing short of stellar. Next we’ll need to look at all the written and email feedback to see how we adapt it moving fwd. Stay tuned.

  4. Michael, thank you for answer. I’m interested in SDL. I believe it will be announced soon and would like to be notified by e-mail. <MH: snip>

    Btw: I enjoyed your article “A Process for Performing Security Code Reviews,” in IEEE Security & Privacy magazine.

  5. As I mentioned in a previous series of posts , we recently had all the major OEMs on campus to discuss

  6. At the end of June my family and I are moving to Austin, Texas. I’ll still be doing a lot of the same