Microsoft: Invulnerable software is not possible

While Microsoft has instituted processes intended to make its software secure and even opened up those processes for others to use, there is no such thing as completely risk-free software, a Microsoft official says.

Speaking at Microsoft’s Security Development Conference in San Francisco this week, Scott Charney, corporate vice president for Trustworthy Computing at Microsoft, detailed Microsoft’s journey from just issuing patches when problems occurred to following its own SDL (Security Development Lifecycle) processes, which made security intrinsic to development. “Back in the early days, it was all about whack-a-mole. Problems would occur, patches would issue,” said Charney, a former prosecutor.

In 2004, Microsoft launched SDL and applied it to products connecting to the Internet, used in the enterprise, or used to store or process personal information. SDL was deployed with the goal of reducing vulnerabilities in products and integrated into the development lifecycle. A “final security review” was implemented to gauge whether a product had no security problems that knowingly would prompt a critical or important bulletin.

But the SDL process has ruffled some feathers with product teams who were ready to move forward ahead with their products but got stalled by Microsoft’s new security requirements. “The first time we told a product group they can’t ship, they were like deer in the headlights,” Charney said.

While SDL has reduced customer pain and dramatically reduced vulnerabilities, Charney says the company knows it will never get vulnerabilities down to zero. “It’s just not possible — software’s written by human beings. They make mistakes.” And there will always be bad actors, Charney noted. “The reason we have to do secure development is because there’s always a percentage of the population up to no good.”

This story, “Microsoft: Invulnerable software is not possible,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.