liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
A situation analysis of the security awareness at Software Vendors and how to best inform them about the Microsoft Security Development Lifecycle
Linköping University, Department of Computer and Information Science.
Linköping University, Department of Computer and Information Science.
2010 (English)Independent thesis Advanced level (degree of Master (Two Years)), 30 credits / 45 HE creditsStudent thesisAlternative title
Nulägesanalys av säkerhetsmedvetenheten hos programvaruleverantörer och informationsspridningenom Microsoft Security Development Lifecycle (Swedish)
Abstract [en]

In January 2002 Bill Gates sent out the renowned "Trustworthy Computing" memo where he announced that the company would shift their focus from adding new features and functionality to security and privacy. This was what led to the formulation of the Security Development Lifecycle (SDL). This process is now mandatoryfor all development at Microsoft with meaningful business risk and/or with accessto sensitive data. The SDL led to great improvements of the number and severityof vulnerabilities in the products that went through the process. When the vulnerabilitiesin the Operation System (OS) were diminished Microsoft noticed thatthe threats moved to the application layer. This led to them wanting to spread their model to application developers. One interesting target group is mid-sized Independent Software Vendors (ISVs), mainly because there are so many of them. Finding out what development process they use today and how they would benefitfrom and could be informed about the SDL is of interest for Microsoft. Interviews with Microsoft evangelists, security experts and representatives from the target group has been preformed to get a better understanding of the situationtoday and how it could be improved. The interviews have resulted in a numberof recommendations for how to adjust the SDL and the information concerningthe process to meet mid-sized ISVs needs. A clear need for information, that is categorized and directed to the different bussiness areas in the software industry, with specific recommendations and courses of action for each of them, has beenidentified. The inter views have also resulted in a situation analysis of the security awareness at the target group today and the experts view of what activities in the SDL they would benefit from. The maturity level amongst the ISVs was found to be low and their own estimated vulnerability level was low. The estimated security awareness in the future on the other hand is high, this can be accounted for the upcoming migration to cloud services that is requested by the customersand the security issues this will lead to. One thing that is agreed upon that would be suitable to introduce is threat modeling. This requires little security knowledge yet leads to dramatic reduction in vulnerabilities. The experts have also shared improvements they think could be made on the SDL.

Place, publisher, year, edition, pages
2010. , 93 p.
Keyword [en]
SDL, Security, Development, ISV
National Category
Computer Science
URN: urn:nbn:se:liu:diva-53708ISRN: LIU-IDA/LITH-EX-A--09/065--SEOAI: diva2:291354
2009-12-18, Donald Knuth, Linköpings universitet 581 83, Linköping, 13:15 (Swedish)
Available from: 2010-02-01 Created: 2010-02-01 Last updated: 2010-02-01Bibliographically approved

Open Access in DiVA

fulltext(17233 kB)399 downloads
File information
File name FULLTEXT01.pdfFile size 17233 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Gunnbäck, JohannesMischel, Helena
By organisation
Department of Computer and Information Science
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 399 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 496 hits
ReferencesLink to record
Permanent link

Direct link