“My name is Microsoft and I have a problem.” That could be the introductory statement of the company at the group meeting of ISVs With Legacy Systems Full of Security Holes Anonymous.
In a recent article, eWeek talks about Microsoft’s push into application security and security best practices.
In the process of building its newly launched Windows Vista OS, the Redmond, Wash.-based software maker employed a new vulnerability detection process labeled SDL (Security Development Lifecycle), that claims to have greatly reduced the number of holes in its products, and which will also serve as a foundation for the firm’s nascent applications security business.
I’ve written that we’ll see more and more of this type of behavior from large ISVs as they realize security can be a competitive advantage.
Other examples from large vendors: Oracle gets behind Common Vulnerability Scoring System (CVSS), followed by Cisco. Oracle is getting great feedback from customers about this move, according to the Oracle Security Blog.
Microsoft focuses on securing ISV’s by sharing a lot of information about their best practices, tools and processes. In fact there is a whole security workshop focused on ISVs. See my blog about it here http://nofud.org/2008/04/24/microsoft-isv-security-workshop/