A Network of Expertise
Meanwhile, to address the challenge of software security threats moving up the stack and into the application layer, Microsoft has created the SDL Pro Network, which combines guidance and SDL best practices with the expertise of other service providers. The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL, Lipner said.Initial members of the SDL Pro Network include Cigital Inc., IOActive Inc., iSEC Partners Inc., Leviathan Security Group Inc., Next Generation Security Software Ltd. (NGS), n.runs AG, Security Innovation Inc., Security University Inc., and Verizon Business, Lipner said. "It is a network of security services providers we've worked with and who we can recommend," he said. Brian Mizelle, Managing Principal and SDL Practice Manager, Cigital, said:
Services provided by the SDL Pro Network will include training, policy and organizational capabilities, including security training; requirements and design, including risk analysis, functional requirements and threat modeling; implementation work, including use of safe APIs, code analysis and code review; and verification, including fuzzing and Web application scanning.
"We see Microsoft's launch of the SDL Pro Network as a way to take our best of breed experiences to work collaboratively with other security professionals to develop consistent service offering around SDL. Regardless of the different methodologies in play we all share the common goal of educating and delivering services that protect our clients' assets and good name through better software security. Any initiative that promotes that ideal is a continued step in the right direction."For his part, Jan Muenther, CTO Security, n.runs AG, said:
"What makes the SDL so valuable is the comprehensive approach. While too often security nowadays is taken into consideration too late into a project, adhering to the SDL brings security aspects into all phases of a software project, from the early design stage to deployment and maintenance. The cool thing here is - it actually works. We have seen this with the clients where we conducted security trainings for the developers. The percentage of 'classical' security flaws found in the subsequent security reviews has decreased drastically. Security is always significantly harder and more expensive to retrofit into an application than when it is brought to the table at an early stage of a project. Sticking to the procedures the SDL describes can help prevent frustrating, expensive and time consuming 'back to the black board' situations."Kev Dunn, principal consultant and technical account manager at NGS, said NGS has been providing security advice to Microsoft for about five years. According to Dunn, Microsoft's SDL "represents a balanced and sensible approach to slipstreaming security into the software development lifecycle." The SDL introduces stringent security requirements for the use of technologies at the design and implementation phases of a project, ensuring that insecure or inappropriate methods cannot be used, and it sets high quality bars for the testing of software from the security and privacy standpoint, he said. The SDL also provides an invaluable guide for software developers when trying to set a minimum security development policy for their organization and offers a toolkit for implementing this standard without disrupting the core business of producing quality software applications, Dunn added. In addition, Dunn said of the SDL:
"The core elements of Microsoft's SDL are some of the core elements of NGS's security consultancy practice. When working with companies that have a software security requirement, including Microsoft themselves, NGS use a combination of training, product analysis and security assessment to highlight security weaknesses and strengthen a product offering. Threat modeling, fuzz testing and code review are all leveraged when analyzing the security footprint of software; used correctly in combination with SDL minimum standards, these activities will steer a development team away from poor design and implementation choices and will reveal existing security holes in a current product."Meanwhile, Microsoft also is releasing a new threat modeling tool, the SDL Threat Modeling Tool 3.0. Adam Shostack, senior program manager for SDL at Microsoft, said the new Microsoft SDL Threat Modeling Tool 3.0 makes threat modeling easier for non-security experts by providing guidance on creating the threat models and analyzing them. In addition, the tool integrates with bug-tracking systems, thereby integrating the threat modeling process into the standard development process. This integration makes it easier for developers to think of security vulnerabilities as bugs and mitigations as features. Shostack said development teams are familiar with features and bugs so they will relate to the tool. "We've been using the tool internally since last June," Shostack said.