Beyond SD3

Back in 2001, all the Windows security courses I taught were quoting Microsoft’s SD3 security strategy. Essentially SD3 stood for:-

* Secure by Design
* Secure by Default and
* Secure in Deployment

In those days, non-Windows people would laugh with a sarcastic smile and pose “is there really any security in Windows?” and of course there is security but it just didn’t work with the SD3 model. For example the courses, would focus on how to lock down the default configuration and show how to create secure deployment of Windows systems. However the courses would then go slightly off track and focus on other areas of Windows security and my belief is that SD3 just wasn't enough to give complete protection. Rather than into the reasons I’d like to quote from Microsoft’s paper on end to end trust.

The problem with SD3 lies in its inherent limitations. Even if products are engineered to be “Secure by Design” and vulnerability counts continue to drop, it is indisputable that the number of vulnerabilities in large and complex products (several of which are likely to be installed on a single system) cannot be reduced to zero in the foreseeable future.

“Secure by Default” is inherently limited because the attack surface can only be reduced, not eliminated, and features are created precisely because a broad set of users need the feature activated. Similarly, many legacy software applications require the user to run as “admin,” thus undermining some of the intended security benefits of running as a standard user. And although “Secure in Deployment” is important, patches are reverse engineered, and exploits launched, faster than many users can test and deploy patches.

Microsoft’s End to End Trust Paper

As a result SD3 was later supplemented with a Defence in depth strategy or layered defence model, however neither of these could cope with threats such as SPAM, phishing attacks, or botnets and so although a good initial position to take they had to be evolved and improved on.