Microsoft extends SDL program, adds Agile development template

Microsoft is broadening its Security Development Lifecycle (SDL) program this week, introducing a new template to help IT organizations and coders build secure software development and a new category identifying tool vendors that support SDL processes.

The new MSF-A+SDL template was designed to introduce Agile development methodologies into Visual Studio IDE. Companies and software developers that use the Agile principles can use the template to support Agile principles for ongoing development projects using the development platform.

The SDL process template released last year focused on waterfall and spiral development methodologies used internally at Microsoft for development on Office, Word and Windows -- projects that typically take years to complete, said David Ladd, principal security program manager for Microsoft.

"The trend over the long haul is pointing toward more rapid application development and Agile development," Ladd said. "In some cases you may have a Web component where it doesn't make sense to use processes suited for rapid application development, waterfall or spiral."

Specifically, the template addresses projects, such as Web applications and Web-based services that have ongoing maintenance and development efforts, said David Ladd of the Microsoft SDL program. When a new iteration is added to a project, the template helps create security tasks within the SDL.

In addition, the Agile template enables the SDL to check Visual Studio projects and website coding within the Agile source control repository. The template will also give the SDL the ability to create new requirements for ongoing projects.

The tool is available in beta and Ladd said Microsoft would accept feedback and make changes to the process until the full release expected by the end of the second quarter.

Microsoft introduced the SDL into its internal software development processes in 2004 to reduce the number and severity of vulnerabilities in its software. The SDL focuses on continual training, process improvement and accountability to help development processes react to the constantly changing threat landscape.

A new SDL white paper released today simplifies the SDL process. Ladd said the SDL can be implemented by single freelance developers up to large IT organizations, but in the past, smaller IT teams were overwhelmed by the extensive SDL documentation and believed it was too difficult to implement. The new 17-page document simplifies the SDL, he said.

The SDL is an outgrowth of the software giant's Trustworthy Computing program, developed internally more than eight years ago. Since then, Microsoft has gradually released its internal work to the industry at large.

In 2008, Microsoft released a key set of guidelines, called the SDL Optimization Model, which helps IT organizations implement the SDL. A Threat Modeling Tool allows software developers and architects analyze their projects from a security point of view and identify potential attack vectors and other security issues during the development process.

New SDL Pro Network category.
Microsoft has also extended its SDL Pro Network, announcing a new "tool" category of membership within in its SDL approved vendors. Pro Network members have a broad understanding of Microsoft's secure development processes and conduct training and help companies implement best practices.

The "tool" category will help companies applying the SDL to choose SDL Pro Network member vendors with static analysis tools, fuzzers or dynamic and binary analysis tools. Fortify Software Inc., Veracode Inc. and Codenomicon Ltd. are the first tool vendors listed in the category, which also lists consulting and training firms.

Microsoft development tools are not needed to implement the SDL, Ladd said.

"If you use a security tool and it works well in your environment then keep on using it," Ladd said. "The SDL is not a rip and replace framework by any stretch of the imagination."

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Secure application development and coding techniques 11 application security tweaks for a secure SDLC SQL injection detection tools and prevention strategies Four application security tips for your software development lifecycle Application security should be addressed in initial SDLC stages Common PCI questions: Web application firewalls or source code review? IBM acquires Ounce Labs for source code analysis Software security threats and employee awareness training nCircle statistics show rising Web application vulnerabilities 10 steps to acing Web app security assessments Common software security risks and oversights Windows and other OS security best practices How to perform an Active Directory health check 11 application security tweaks for a secure SDLC RAM-scraping attacks are a rising -- but preventable -- threat Configuring a Windows network infrastructure: Wired, wireless security Microsoft warns that IE zero-day vulnerability causes data leakage Protecting enterprise networks from new mobile application downloads Microsoft issues advisory on Internet Explorer zero-day First step in forensics: Create a bootable Windows environment CD Leveraging DLP to gain customer confidence: The Cognizant way Another PDF attack targets Adobe zero-day vulnerability Information security certifications and professional training Applying the ISO 27005 risk management standard New ISO 31000 risk management standard receives good early reviews ISACA's risk management certification makes its entry An information security career: What does it take? IT (Amendment) Act, 2008 has information security market on toes CISO career 101: Chief Information Security Officer route basics Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to use Internet security threat reports Despite recession, information security certification pay continues to climb DSCI framework to strengthen data protection regime in India RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Security Council of India (DSCI)  (SearchSecurityIN.com) NASSCOM  (SearchSecurityIN.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.