There is very significant work going on behind the scenes in the development cycle of current and all future software releases coming from Microsoft. Now, certain categories of software released from Microsoft now must go through the Security Development Lifecycle process which aims to provide customers with high quality software that is meticulously engineered and rigorously tested to help withstand malicious attack. We've published a lengthy whitepaper about this which is available here. Essentially the SDL is a mandatory process that certain categories of Microsoft software must go through before it is released publicly. It helps us make sure that the software coming from Microsoft today has the latest security engineering advancements included in the code for the benefit of customers. It's a huge step forward for us to have this now as a formal process for our software. So far, we have used the SDL on Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year.

While these developments cover significant activity on the product development side at Microsoft as a whole, the Microsoft Security Response Center has also made available a number of free tools and special guidance that can help customers become more secure.

Customers have told us that they want more prescriptive and timely guidance on security issues and Microsoft has responded to that feedback by continuously improving the security communications we deliver to customers. This spring, we announced a pilot of a new offering, Microsoft Security Advisories, which aim to provide guidance and information about security related software changes or software updates. Microsoft Security Advisories, a supplement to the Microsoft Security Bulletins, address security changes that may not require a security bulletin but that may still impact customers' overall security.

In addition to the Microsoft Security Advisories, Microsoft has recently made available the Advanced Notification Program to help IT professionals plan their resources appropriately for deploying security updates. Three business days before the bulletins are released, general information is provided about the maximum number and severity of the bulletins. We've also enabled a Security Notification Service to alert customers to new bulletins and advisories as well as an RSS feed and MSN Messenger Alerts for security bulletins.


The MSRC also hosts monthly technical webcasts to offer customers additional support and guidance when deploying security updates and a regular Security360 webcasts to make prescriptive security guidance, education and training available to customers.

One of my favorite new things we've launched this year is the MSRC blog which provides insight directly from those working in the MSRC on recent security related news, announcements, activities and threat issues. This is a great way to get to know those folks that are working behind the scenes night and day to help protect customers. You can read all about at blogs.technet.com/msrc/default.aspx.

Another new tool released this year is the Malicious Software Removal Tool. This tool is updated each month to remove the most common malware threats that may be present on a user's machine. To be clear, this tool is not meant to be a substitute for good anti-virus software. However, it can help customers get back on their feet if they have been affected by any of the threats the tool is designed to remove. We have had a good response to this so far and look forward to continuing to update it each month to help customers.