A situation analysis of the security awareness at Software Vendors and how to best inform them about the Microsoft Security Development Lifecycle
Independent thesis Advanced level (degree of Master (Two Years)), 30 credits / 45 HE creditsStudent thesisAlternative title
Nulägesanalys av säkerhetsmedvetenheten hos programvaruleverantörer och informationsspridningenom Microsoft Security Development Lifecycle (Swedish)
In January 2002 Bill Gates sent out the renowned "Trustworthy Computing" memo where he announced that the company would shift their focus from adding new features and functionality to security and privacy. This was what led to the formulation of the Security Development Lifecycle (SDL). This process is now mandatoryfor all development at Microsoft with meaningful business risk and/or with accessto sensitive data. The SDL led to great improvements of the number and severityof vulnerabilities in the products that went through the process. When the vulnerabilitiesin the Operation System (OS) were diminished Microsoft noticed thatthe threats moved to the application layer. This led to them wanting to spread their model to application developers. One interesting target group is mid-sized Independent Software Vendors (ISVs), mainly because there are so many of them. Finding out what development process they use today and how they would benefitfrom and could be informed about the SDL is of interest for Microsoft. Interviews with Microsoft evangelists, security experts and representatives from the target group has been preformed to get a better understanding of the situationtoday and how it could be improved. The interviews have resulted in a numberof recommendations for how to adjust the SDL and the information concerningthe process to meet mid-sized ISVs needs. A clear need for information, that is categorized and directed to the different bussiness areas in the software industry, with specific recommendations and courses of action for each of them, has beenidentified. The inter views have also resulted in a situation analysis of the security awareness at the target group today and the experts view of what activities in the SDL they would benefit from. The maturity level amongst the ISVs was found to be low and their own estimated vulnerability level was low. The estimated security awareness in the future on the other hand is high, this can be accounted for the upcoming migration to cloud services that is requested by the customersand the security issues this will lead to. One thing that is agreed upon that would be suitable to introduce is threat modeling. This requires little security knowledge yet leads to dramatic reduction in vulnerabilities. The experts have also shared improvements they think could be made on the SDL.
Place, publisher, year, edition, pages
2010. , 93 p.
SDL, Security, Development, ISV
IdentifiersURN: urn:nbn:se:liu:diva-53708ISRN: LIU-IDA/LITH-EX-A--09/065--SEOAI: oai:DiVA.org:liu-53708DiVA: diva2:291354
2009-12-18, Donald Knuth, Linköpings universitet 581 83, Linköping, 13:15 (Swedish)
Sandahl, Kristian, Professor
Sandahl, Kristian, Professor