Microsoft has moved to update its Security Development Lifecycle to make it easier for developers to create new applications with security in mind at the front end of the application development cycle.
At the Black Hat security conference in Washington, Microsoft made a series of announcements around its SDL architecture. For instance, Microsoft announced a simplified implementation of the SDL. According to a Microsoft document describing the simplified solution: “Many developers avoid secure development practices because they think it will cost too much and require huge resources. They are also put off adopting Microsoft’s SDL because they believe it is exclusively for the Microsoft platform. This white paper explains how the SDL can be implemented with limited resources and applied to other platforms.”
Microsoft also announced support for Agile development with its SDL solution. According to Microsoft’s own description of its Agile support:
““Microsoft will release a beta of a free, downloadable template for applying Security Development Lifecycle (SDL) methodology to the Microsoft Solutions Framework (MSF) for Agile Software Development process. The MSF for Agile Software Development plus SDL Process Template for Visual Studio Team System 2008 lets developers integrate the SDL-Agile secure development methodology directly into the Visual Studio development environment. A beta template for Visual Studio 2010 will be available shortly after Microsoft releases that product in April. A final release of both templates is currently scheduled for the second quarter of 2010.”“
A Microsoft fact sheet on the Agile support said:
““With the MSF Agile + SDL template, any code checked into the Visual Studio Team System source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The template also automatically creates workflow tracking items for manual SDL processes such as threat modeling to ensure that these important security activities are not accidentally skipped or forgotten. Finally, they integrate with the other SDL tools, including the Microsoft SDL Threat Modeling Tool, the Microsoft Binscope Binary Analyzer and the Microsoft MiniFuzz File Fuzzer Tool.”“
Also at Black Hat, Microsoft announced that it will expand the SDL Pro Network, which was set up in November 2008. SDL Pro Network members are specialist security organizations that offer services to help organizations adopt the SDL.
Microsoft is expected to announce the creation of a Tools membership category to complement the Consulting and Training categories. Tools members are companies that are able to deploy a range of security tools, such as static analysis tools for the Implementation phase and dynamic and binary analysis tools for the Verification phase.
At the conference, Microsoft will announce seven new members of the SDL Pro Network:
Fortify (Tools Member)
Veracode (Tools Member)
Codenomicon (Tools Member)
Booz-Allen Hamilton (Consulting Member)
Casaba Security (Consulting Member)
Consult2Comply (Consulting Member)
Safelight Security Advisors (Training Member)
Microsoft said that, to date, more than 48,000 developers have downloaded four free SDL tools and 78,000 have downloaded free SDL guidance.