Early one Monday morning, Steve Ballmer walked into his conference room carrying a desktop. He put it down on the table in front of me. “I want this fixed, and I want it fixed by tomorrow,” he said. Over the weekend he had attended a wedding. The computer belonged to his friend, the groom. “I worked all weekend on this, and I couldn’t fix it,” he reported. “I want to send it back to him tomorrow.”

We analzyed the machine, looking for the problem. We’ve diagnosed other machines, but this one was over the top—it was polluted through and through with viruses and other malicious software. Some we already knew about and could easily clean, but several others we had never seen before. Regardless, the machine was nearly a lost cause by the time the first virus was done with it. I had the opportunity to go through that virus’s source code. The first thing it did was look around for and wipe out anything that had the word virus in it. This included, of course, anything with the moniker antivirus. It then disguised itself and turned off Windows Update as well as everything to do with group policy. The malware manipulated group policy facilities to disable all sorts of system capabilities. If you tried to run antivirus software on the machine, nothing happened. This machine was lost.

We did fix the machine—and some of Microsoft’s new security and anti-malware products help protect against the kinds of issues we found that day—but more malicious software will follow in the future. Security attacks are no longer the purview of teenagers holed up in their bedrooms trying to gain bragging rights at the expense of the world economy—attacks are now a profitable criminal business. Make no mistake, when it comes to the security battleground, we are on a rapidly escalating path. This is a war that will last far into the future. Hackers have gone beyond attacking operating systems and network servers—they are going after databases and they’re going after code associated with data types. If there’s a parser in the code you write, they’re going to go after it. Our research as well as other industry statistics show that attacks are moving farther up the stack from the operating system to the applications sitting on top. Everything, not just Microsoft Windows, is being attacked: Linux, Mac OS X, Solaris, server and client applications, and Web applications.

One of the best weapons you can have in your arsenal is clean code. Others include software configurations that are secure by default—so resilient that even vulnerable code can’t be attacked successfully—and security products that block or recover from attacks. At Microsoft we have made two major sweeps to rid our operating systems of security problems: first with Microsoft Windows Server 2003 and then with Windows XP SP2. These were investments that took thousands of engineers months to complete. It also refocused our efforts around how we built Windows Vista. Our work in this area is ongoing, and through these projects we have learned a great deal. Sharing this learning with you is a high priority for us and the top priority of this book, The Security Development Lifecycle. No one course of action will cure all ills, but the information in this book will help you do much more to protect your customers when designing your products, managing your projects, writing code, assessing risk, and testing security scenarios.

The authors of this book, Michael Howard and Steve Lipner, have a great deal of experience in this arena—more than 45 years combined in software security. More than 80,000 copies of Michael’s Writing Secure Code, co-written by David LeBlanc and first published in December of 2001, have reached developers’ hands. It contains much of what we learned through the work we did on Windows XP SP 2. The Security Development Lifecycle is the result of knowledge we’ve gained from dealing with vulnerabilities reported to the Microsoft Security Response Center and from continually updating our development processes to eliminate the root causes of such vulnerabilities. It contains valuable how-to information on everything from educating your developers to conducting security reviews to handling emergencies.

The best advice I can give, based on all my years in the software industry, is to remind you that where security is concerned, lunch is expensive. If you don’t pay for it now, you’ll pay an order of magnitude more for it later. You’ll have to dig out from under a cacophony of phone calls, PR problems, unhappy customers, and lost sales. Pay now or pay later—it comes down to the way you develop your code. By the time a vulnerability reaches the field, it’s way too late. It’s way too late if it gets into a beta release. It’s too late if you find problems in testing. And it’s too late if security holes make it into a build of the software. I hope the practices outlined in this book will help you more effectively address problems that might be found in your software, but more importantly, I hope it will help you prevent such problems in the first place.

Jim Allchin

May 2006

Redmond, WA