Microsoft wants to bring its secure development lifecycle to an application near you.
In a series of announcements, the company laid out a path today to speed the adoption of its security development lifecycle (SDL) in the developer community. For starters, the company has released version 1.0 of the SDL Process Template for free and integrated it with the Visual Studo Team System.
"In the face of growing security risks, software developers should leverage Microsoft's freely available SDL programs and tools to improve the security and privacy of their applications early on and throughout the development lifecycle," explained David Ladd, principal security program manager of Microsoft's Security Development Lifecycle team, in an e-mail.
Part of Microsoft's Trustworthy Computing effort, the SDL is a process Microsoft developed over the years to provide customers with high-quality and rigorously tested software. In addition to engineer training, the SDL encompasses a systematic series of mandated security- and privacy-focused activities such as threat modeling, the use of static analysis code-scanning tools during implementation and security and privacy testing. During the release phase, the SDL also includes response planning, release archive activities and final security review.
The template's integration with Visual Studio Team System (VSTS) is meant to create what Ladd called a "direct line to the developers creating many of the applications used by consumers today." VSTS offers development teams an integrated set of tools for application architecture, design, development and testing. Beyond that, the template also accommodates third-party tools that work with Team Foundation Server.
Taken together, VSTS and Team Foundation Server provide a framework for managing software used by program managers, developers and testers working together on a project, Ladd said.
"By integrating the SDL into this framework, each of those project roles can leverage the SDL components to easily implement a proven security assurance process," he added.
The template automates the creation of base SDL requirements and recommendations, and includes guidance for SDL as a how-to for users. In addition, it provides auditable security reports that can be used to verify whether SDL requirements were met prior to a product's release.
In addition to the template, Microsoft also released today the SDL Version 4.1 documentation, which updates previous SDL requirements and recommendations and guidelines for line-of-business application development. The company also announced that the SANS Institute and the Science Applications International Corp. (SAIC) have joined Microsoft's SDL Pro Network.