It’s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it’s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.
The company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks.
To help address those issues, Itron began a software security program, based on the Microsoft SDL. The idea behind the effort is to address potential security bugs and attack vectors before the meters are deployed. Steve Lipner, one of the driving forces behind the Trustworthy Computing initative and SDL at Microsoft, said in an interview that the company is happy to see the SDL spreading beyond Microsoft’s walls and having an effect in other industries.
“It’s very important to see adoption by governments and private industry,” he said. “The adoption of secure development can have an important global effect. Some of the meter specifications involve providing a disconnect switch on the meters and they needed to get the security right or the consequences could be devastating.”
Security researchers already have discovered vulnerabilities in some smart meters and privacy advocates have questioned whether the data on the meters will be protected adequately. Last year, California approved new data security rules for smart meters, which prevent the utilities from disclosing customers’ usage or other data to third parties. Those same concerns about attacks and vulnerabilities are what is driving the use of the SDL at Itron.
“The light bulb went off for me when my customer looked across the table and said, ‘We’re planning on putting disconnect switches on every meter,’” Michael Garrison Stuber, an engineering advisor at Itron, said. “The implication was that this level of access to the network would equal the ability to control that network. From that standpoint I immediately realized, ‘This could be a giant target.’”
For some companies, the development of a software security program is driven by a recent security failure or series of attacks, but for others it’s more a case of customers pushing the vendor. That was the case for Microsoft when it began its effort more than a decade ago, and also for Itron. But some of the motivation also came from not wanting to go through the typical release, bug, patch cycle any longer. Paying pen testers and consultants to find bugs after the products are made can be an expensive proposition.
“I got tired of writing six-figure checks to these outside vendors,” said Stuber. “From a business standpoint it just made perfect sense to me that we need to be investing in how we do development so we’re thinking about security throughout the lifecycle.”
Lipner said he’d like to see even more adoption of the SDL in other industries.
“We’re encouraging customers to adopt the tools we’ve published as a way to save money and build more secure software,” he said. “The customers need to demand secure development practices.”