Lessons Learned About Building Secure Software: It's About the Developers!

In late 2001, the Secure Windows Initiative team at Microsoft started down a path that led to fundamental changes in the way that the company thought about software security and about software development. The path led through mandatory training for thousands of developers and "security stand-downs" for the development teams responsible for Microsoft's most important products, to the establishment of the Security Development Lifecycle (SDL) as a mandatory part of all product and online service development. The success of the SDL resulted in large measure from the facts that the team responsible for the SDL was focused on enabling secure development rather than measuring security compliance, and that the Microsoft development community accepted the critical importance of releasing more secure products and services. This talk will review the history that led to the SDL and discuss some of the key factors that lead to software security programs that are effective, acceptable, and long-lived.