Microsoft Beefs Up Security Development Lifecycle

Microsoft has evolved its Security Development Lifecycle (SDL) to help developers better address security in the design and development phases of the application lifecycle. In addition, Microsoft is delivering an SDL optimization model, a new SDL service provider network and a new threat modeling tool.

In light of continuing and progressively more pernicious security threats heading into the application stack, Microsoft is evolving its Security Development Lifecycle and providing services, support and tools around it to help enterprises build more secure applications starting at the design and development phase.

Steve Lipner, Microsoft's senior director of security engineering strategy, said the SDL is a software security assurance process that has helped to embed security and privacy in Microsoft software and culture. The SDL is Microsoft's software security assurance process, which has been a Microsoft-wide initiative and a mandatory policy since 2004, And the SDL has led Microsoft to security improvements in flagship products such as Windows Vista and SQL Server.

Lipner said as part of its commitment to supporting a more secure and trustworthy computing ecosystem, Microsoft is making SDL process guidance, tools and training available for every developer. So Microsoft is sharing its SDL concepts with ISVs (independent software vendors), partners and customers with the objective of improving the security and privacy of the entire computing ecosystem. One way Microsoft plans to do this is through its new SDL Optimization Model. And the company also is finalizing a new SDL partner program and a threat modeling tool, all of which will be released in November.

"Enterprises aren't really focusing on security during development," Lipner told eWEEK. "So what we want to do is push that consideration of security back into development. Fixing bugs and problems is a lot easier to do in development than it is after a product is completed."

So Microsoft is providing its SDL Optimization Model to enterprises. "The SDL Optimization Model is a maturity model to let organizations self-assess how they are doing with security practices," Lipner said. "It gives you a way to look at what you're doing and think about what you might be doing next."

The Microsoft SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. The SDL Optimization Model shows an organization's security at one of four levels: Basic, Standardized, Advanced or Dynamic. At the basic level, security is reactive; at the standardized level, security is proactive; at the advanced level, security is integrated; and at the dynamic level, security is specialized.

Moreover, to aid in adoption, the Microsoft SDL Optimization Model is grouped into five capability areas that help assist with budgeting, planning and staffing efforts associated with software development. These areas are: Training, policy and organizational capabilities; requirements and design; implementation; verification; and release and response.