Whidbey Security Push Progress

The past few weeks have been pretty busy for me. In my last blog I mentioned I was working on planning our "Security Push", which is a time we allocate in our product cycle where the top priority and focus is security. Having this kind of time is very valuable because you can get everyone working on this at the same time, and it builds great momentum. We started out with a big list of work items we wanted to complete, some of which were brand new, bleeding edge, using tools we had just finished developing. Talk about dogfooding…

After a wobbly start, everyone really kicked into gear and we started making good progress. This is the fifth week now out of a total of six, and things are looking great. We found a few areas where we needed to change the design to make the product more secure, and we fixed issues reported by scanning tools like FxCop and PreFast (if you want to try this one out, check out

the December CTP). We also updated our threat models to include the latest changes, and we’ve reviewed a ton of source code.

In a month or so, our central security team (for the company) will be engaging our team for our "Final Security Review" (see

Soma’s blog about the Security Development Lifecycle). Every product shipped by Microsoft needs to go through one of these and can not ship without passing it. The central security team is a group of security experts who verify that a product meets the security bar defined for MS products (listen to Mike Howard talking about this in his MSDN TV episode). During February and March, they will be focusing on testing our product. It’s always useful when outside eyes are looking at your product, they may find things we somehow missed.

My next blog will be soon after they complete the testing of our product, I’ll keep you posted how that went.

-Natalie