Chapter 1: New Security Features

It is not hyperbole to say that almost every line of Windows Vista code has an increased focus on security. Each subsequent version of the Windows operating system (OS) has been demonstrably more secure than the previous one. Windows Vista is no different. It contains hundreds of new security features, and what isn't completely new is improved. Windows Vista includes new security mechanisms, improved versions of older features, enhanced integration, improved interfaces, and stronger default settings. Chapter 1 will cover the most significant new and improved Vista security settings. It's a long chapter, but worth the read.

Security Development Lifecycle

Not surprisingly, the increased security focus of Windows Vista began in the planning stages. Windows Vista is the first Microsoft OS to be built from the ground up using the Security Development Lifecycle (SDL). SDL is designed to infuse security into software development, starting long before the first line of code is written.

Crucial to SDL is the identification of potential threats using a method called threat modeling, where every possible threat that can be imagined is documented. The lack of a coherent threat model led to most of the security design flaws of past Windows operating systems.

This time around, Microsoft employees and external security reviewers identified over 1,400 unique threat modeling scenarios. A large majority of the models focus on the dangers of automated malware (i.e., viruses, worms, Trojans, and bots), which previously were not given enough attention and have plagued the earlier versions of Windows.

Most, if not all, Windows Vista developers have been trained in secure coding and SDL. All code is examined through several cycles of manual and automated review. Programmers review their own code and then submit it to peers for further analysis. Coders from one team review the code of other teams, and then hand it off to external code review teams.

Automated code review tools and fuzzers (http://www.en.wikipedia.org/wiki/Fuzz_testing) are used to spot previously missed code flaws. Microsoft is also expanding the use of meta-language, called Standard Annotation Language (SAL), which helps static analysis (i.e., code review) tools find more bugs with a bit more upfront annotation and documentation by the developer. See Michael Howard's blog (http://www.blogs.msdn.com/micheal_howard/archive/2006/05/19/602077.aspx) for more details.

Microsoft's Secure Windows Initiative Attack Team (SWIAT), their in-house red-team, along with external penetration testers, try to exploit what comes out of the multiple code reviews. Any found flaws are re-submitted back into the SDL process and re-tested. David LeBlanc, Senior Microsoft Software Development Engineer, has stated that the SDL process has made the number of bugs per thousands of lines of code (known as bugs/kloc) among the lowest in the industry (http://www.infoworld.com/article/05/09/16/38OPsecadvise_1.html).