IOACTIVE SELECTED TO BE A MEMBER OF MICROSOFT'S INNOVATIVE SECURITY PROGRAM

Seattle, Wash—October 7, 2008. IOActive, an industry-leading provider of application security and risk management services, today announced that it is one of nine companies internationally selected to be a member of Microsoft's Security Development Lifecycle (SDL) Pro Network, which will kick off its year-long pilot phase in November 2008. The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. The program is designed to make the SDL accessible to companies outside of Microsoft, providing customer protection while continuing to improve the process itself.

Members of the SDL Pro Network will help organizations of all sizes implement SDL through five capability areas:

• Training.  Provide security training and advice on implementing SDL in addition to exploring the company's organizational and policy capabilities.
• Requirements and Design.  Plan how security will be integrated into software design by examining user requirements, industry standards, and threat models.
• Implementation.  Perform code analysis and review, and enforce the use of safe APIs.
• Verification.  Perform additional security code reviews alongside fuzzing and web application scanning.
• Release and Response.  Perform a Final Security Review that includes response planning and execution to determine whether software is ready for customer delivery.

"IOActive is thrilled to be a member of this elite program and we are flattered that Microsoft trusts us as capable of delivering expert SDL services to the community. Institutions that choose to "bake" security into their development process—as opposed to "bolting" it on—will enjoy a significant competitive edge in the marketplace as enterprises and consumers increasingly seek out organizations that invest in proactively securing the technology ecosystem," said Joshua Pennell, president and CEO of IOActive.

Members of the SDL Pro Network are a select group of industry leaders that specialize in application security and have extensive experience with the Microsoft SDL. IOActive has worked closely with Microsoft for the last five years on a number of key initiatives—most notably, IOActive was one of the few companies hired by Microsoft to perform the code review of the Windows Vista operating system.

"We are really excited to work with IOActive on this project," said David Ladd, principal security program manager in Microsoft's Trustworthy Computing group. "With help from industry leaders like IOActive, we hope to not only increase accessibility of our SDL process, but to improve security protocol in software development as a whole."

Part of Microsoft's Trustworthy Computing initiative, Microsoft developed the SDL with the objective of producing more secure software that could withstand the everchanging nature of malicious attacks. The SDL takes security and privacy measures during each stage of development and requires that a final review occurs before the software is released. The result is that software developed following the SDL protocol exhibits fewer security vulnerabilities.

IOActive is an industry leader that offers comprehensive security services including software assurance, infrastructure audits, training, incident response, and Governance Risk Compliance. Established in 1998 and headquartered in Seattle, IOActive has attracted many well-known security experts including Dan Kaminsky, Jason Larsen, Ward Spangenberg, and Ted Ipsen. For more information, please visit the Web site www.ioactive.com.

-###-