Microsoft wants to speed adoption of its security development lifecycle (SDL), starting with the release of a free SDL Process Template that is integrated with the Visual Studio Team System. The company also announced additions to its SDL Pro Network and updates to the SDL process.
Microsoft wants to bring
its secure development lifecycle to an application near you.
In a series of announcements, the
company laid out a path today to speed the adoption of its security
development lifecycle (SDL) in the developer community. For starters, the
company has released version 1.0 of the SDL Process Template
for free and
integrated it with the Visual Studo Team System.
"In the face of growing security
developers should leverage
Microsoft's freely available SDL programs and
tools to improve the security and privacy of their applications early on and
throughout the development lifecycle," explained David Ladd, principal security
program manager of Microsoft's Security Development Lifecycle team, in an
Part of Microsoft's Trustworthy
Computing effort, the SDL is a process Microsoft developed over the
years to provide customers with high-quality and rigorously tested
software. In addition to engineer training, the SDL encompasses a systematic
series of mandated security- and privacy-focused activities such as threat
modeling, the use of static analysis code-scanning tools during implementation
and security and privacy testing. During the release phase, the SDL also
includes response planning, release archive activities and final security review.
The template's integration
with Visual Studio Team System (VSTS) is meant to create what Ladd called
a "direct line to the developers creating many of the applications used by
consumers today." VSTS offers development teams an integrated set of
tools for application architecture, design, development and testing. Beyond
that, the template also accommodates third-party tools that work with Team
Taken together, VSTS and Team
Foundation Server provide a framework for managing software used by program
managers, developers and testers working together on a project, Ladd said.
"By integrating the SDL into this
framework, each of those project roles can leverage the SDL components to
easily implement a proven security assurance process," he added.
The template automates the
creation of base SDL requirements and recommendations, and includes guidance
for SDL as a how-to for users. In addition, it provides auditable security
reports that can be used to verify whether SDL requirements were met prior to a
In addition to the template,
Microsoft also released today the SDL Version 4.1 documentation, which
updates previous SDL requirements and recommendations and guidelines for
line-of-business application development. The company also announced that
the SANS Institute and the Science Applications International Corp. (SAIC) have
joined Microsoft's SDL Pro Network.