Windows XP Gets Security Certification
Touting the success of it's new Security Development Lifecycle (SDL) process, Microsoft late Wednesday said Windows Server 2003 and Windows XP SP2 Professional and Embedded have secured the highest Common Criteria security certification from the United States government's National Information Assurance Partnership.
Four versions of Windows Server 2003 were certified, including Standard Edition, Enterprise Edition, Datacenter Edition and Windows Server 2003 Certificate Server. Both Windows 2000 Professional and Server editions previously achieved the same security rating, dubbed Evaluation Assurance Level (EAL) 4.
To obtain the certification, which is handled by Science Applications International Corp. (SAIC), the six operating systems were put through 20 real-world scenarios, or "workloads." The Common Criteria testing was ratified as an international standard in 1999.
"CC certification of these Windows platform products, which includes evaluation of the broadest set of real-world scenarios of any operating system platform today, underscores our deep and ongoing commitment to the Common Criteria process," said Steve Lipner, senior director of security engineering strategy at Microsoft.
Lipner said SDL played a critical role in helping to achieve the certification. SDL is Microsoft's new approach to software development, in which it carefully reviews all code for security risks and takes into account the best practices it learned after undertaking an extensive security review in 2002.
Microsoft says its newly released development products, Visual Studio 2005 and SQL Server 2005, have undergone the SDL process from beginning to end. In the process, the company also developed two security debugging tools known as PREfast and FxCop.
"This milestone complements our ongoing advances in software quality through the Security Development Lifecycle process, ultimately benefiting any IT organization that is serious about security," Lipner added.