News

Microsoft Offers SDL Tools to the Masses

Microsoft's Secure Development Lifecycle initiative introduces a set of dev requirements aimed at reducing security defects in software.

Microsoft is helping application developers build more secure code with two programs and a new tool developed in-house, as part of the company's Secure Development Lifecycle (SDL) initiative.

Microsoft last month released the SDL Optimization Model, Pro Network and Threat Modeling Tool. The offerings bring Redmond's best practices to the masses.

The SDL is a set of dev requirements aimed at reducing security defects in software. The process outlines a series of security-focused activities for each phase of the software development process. Before software subjected to the SDL can be released, it must undergo a final security review by a team independent of its dev group.

"The SDL has proved itself at Microsoft," says Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "Our own developers use it, we've reduced vulnerabilities in our software, and we feel pretty good about that."

Most interesting is the Threat Modeling Tool. Used for several years in-house at Microsoft, version 3.0 provides developers with early and structured analysis of potential security problems in their apps in the form of "thread-model documents," says Adam Shostack, senior program manager of Microsoft's SDL Team.

The tool saves the document as an XML file, he says, which can be exported to HTML and MHT using the included XSLTs. The tool is based on the threat-modeling methodology developed by Redmond for its own dev teams. It's available free for download here.

The SDL Optimization Model is a "security assurance" process, Shostack says, developed to "facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside Microsoft." Aimed at dev managers and IT policy makers, the model provides a framework for assessing the state of the security during development, and "create a vision and roadmap for reducing customer risk." The model is also free.

The SDL Pro Network combines SDL best practices with the expertise of a network of security consultants, Shostack says. These experts will offer SDL-based services, including training and design consulting.

Analysts and security experts praise Microsoft's latest implementation of the SDL. "Those guys have done a really nice job of rolling out software security to the developers at Microsoft," says Gary McGraw, CTO of software security consulting firm Cigital Inc. "I'm happy to see them talking about how they did that with other developers."

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube