The greatest security story never told - how Microsoft's SDL saved Windows

"We actually had to bus in engineers."

Microsoft has launched a new website to "tell the untold story" of something it believes changed the history of Windows security and indeed Microsoft itself - the Software Development Lifecycle or plain 'SDL' for short.

For those who have never heard of the SDL, or don't have the remotest idea why it might be important, the new site offers some refreshingly candid insights to change their minds.

Without buying into the hype, the SDL can still fairly be described as the single initiative that saved Redmond's bacon at a moment of huge uncertainty in 2002 and 2003. Featuring video interviews with some of its instigators and protagonists, the new site offers outsiders a summary of how and why Microsoft decided to stop being a software firm and become a software and security firm in order to battle the malware that was suddenly smashing into its software.

Few outside the firm knew of the crisis unfolding inside its campus but not everyone was surprised. Microsoft now traces the moment the penny dropped to the early hours of a summer morning in 2001, only weeks before it was due to launch Windows XP to OEMs.

"It was 2 a.m. on Saturday, July 13, 2001, when Microsoft's then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called "Code Red" was spreading at an astonishing rate. Code Red was a worm a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious."

Others arrived in the following two years; the Blaster worm, Nimda, Code Red II, MyDoom, Sasser, and on and on. To a world and a Microsoft not used to the notion of malware being a regular occurrence, this was all a big shock.

By January 2002, with attacks on its baby XP humbling the biggest software firm on earth, Bill Gates sent his famous Trustworthy Computing (TwC) memo to everyone at Microsoft. From now on, security was going to be at the root of everything and so help us God.

That turned into the SDL, and it was given priority one to the extent that it took over the whole 8,500-person Windows development team for much of that year and the next. Its ambition was to completely change the way Microsoft made software so that as few programming errors were made that had to be fixed once customers were involved; "security could not continue to be a retroactive exercise."

Users had also started complaining. Loudly.

"I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting. We actually had to bus in engineers," the site quotes its security VP Matt Thomlinson as saying.

The fruit of the SDL was XP's first Service Pack in 2002, followed up by the even more fundamental security overhaul of SP2 in 2004. By then, XP had been equipped with a software firewall, an almost unthinkable feature for an OS three years eariler.

It's arguable that despite the undoubted gains of the SDL since then, that the firm has yet to fully recover from the trauma of the period. Windows development has seemed less and less certain ever since, following up XP with the flawed Vista and more recent Windows 8 near-debacle. Microsoft still does operating systems but it's not clear that all its users do.

Still, the SDL programme has proved hugely influential even if it's not well known outside tech circles. It is now baked into everything. It has also influenced many other software houses and many have versions of the SDL of their own, many modelled on Microsoft's published framework on how to run secure development.

Whatever mis-steps Microsoft has made in the last decade, security has turned into a bit of a success story right down to the firm's pioneering and hugely important Digital Crimes Unit (DCU) that conducts the forensics necessary to track down the people who write malware in their caves. Both the SDL and DCU are seen as world leaders.

So let's hear of for Redmond, the software giant that launched an operating system years behind the criminals but somehow clawed itself back from disaster. Most other firms would have wilted but somehow Gates's memo rallied the cubicle army.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechMicrosoftsecuritySDL

More about BillindeedMicrosoftSDL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place