Michael Howard, a member of Microsoft's Red Team, delivers a keynote reflecting on nearly 25 years of the Microsoft Security Development Lifecycle (SDL). He traces the origins from the Secure Windows Initiative and early IIS vulnerabilities (Code Red, Nimda) through the formalization of SDL, its evolution to support agile development, and its expansion into the Secure Future Initiative (SFI). Key themes include the urgent need to move away from C/C++ toward memory-safe languages like Rust, the dangers of JavaScript's undefined behavior, the growing threat of identity-based attacks and OAuth2 token vulnerabilities, and how AI agents are dramatically reducing developer toil in security remediation (e.g., cutting resolution time from 5.9 months to 1.6 months). He also warns that LLMs can produce subtly insecure code (e.g., hash length extension vulnerabilities) and stresses that humans must remain in the loop. Core takeaways: adopt memory-safe languages, reduce cognitive burden on engineers, build paved paths for secure development, and always distinguish between security features and securing features.
Sort: