Microsoft Offers SDL Tools to the Masses

Microsoft's Secure Development Lifecycle initiative introduces a set of dev requirements aimed at reducing security defects in software.

Microsoft is helping application developers build more secure code with two programs and a new tool developed in-house, as part of the company's Secure Development Lifecycle (SDL) initiative.

Microsoft last month released the SDL Optimization Model, Pro Network and Threat Modeling Tool. The offerings bring Redmond's best practices to the masses.

The SDL is a set of dev requirements aimed at reducing security defects in software. The process outlines a series of security-focused activities for each phase of the software development process. Before software subjected to the SDL can be released, it must undergo a final security review by a team independent of its dev group.

"The SDL has proved itself at Microsoft," says Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "Our own developers use it, we've reduced vulnerabilities in our software, and we feel pretty good about that."

Most interesting is the Threat Modeling Tool. Used for several years in-house at Microsoft, version 3.0 provides developers with early and structured analysis of potential security problems in their apps in the form of "thread-model documents," says Adam Shostack, senior program manager of Microsoft's SDL Team.

The tool saves the document as an XML file, he says, which can be exported to HTML and MHT using the included XSLTs. The tool is based on the threat-modeling methodology developed by Redmond for its own dev teams. It's available free for download here.

The SDL Optimization Model is a "security assurance" process, Shostack says, developed to "facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside Microsoft." Aimed at dev managers and IT policy makers, the model provides a framework for assessing the state of the security during development, and "create a vision and roadmap for reducing customer risk." The model is also free.

The SDL Pro Network combines SDL best practices with the expertise of a network of security consultants, Shostack says. These experts will offer SDL-based services, including training and design consulting.

Analysts and security experts praise Microsoft's latest implementation of the SDL. "Those guys have done a really nice job of rolling out software security to the developers at Microsoft," says Gary McGraw, CTO of software security consulting firm Cigital Inc. "I'm happy to see them talking about how they did that with other developers."

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

comments powered by Disqus


  • What's New in TypeScript 5.5, Now Generally Available

    Microsoft shipped the latest iteration of its type-infused superset of JavaScript, TypeScript 5.5, introducing inferred type predicates, control flow narrowing, JSDoc @import and other enhancements.

  • GitHub Copilot for Azure Gets Preview Glitches

    This reporter, recently accepted to preview GitHub Copilot for Azure, has thus far found the tool to be, well, glitchy.

  • New .NET 9 Templates for Blazor Hybrid, .NET MAUI

    Microsoft's fifth preview of .NET 9 nods at AI development while also introducing new templates for some of the more popular project types, including Blazor Hybrid and .NET MAUI.

  • What's Next for ASP.NET Core and Blazor

    Since its inception as an intriguing experiment in leveraging WebAssembly to enable dynamic web development with C#, Blazor has evolved into a mature, fully featured framework. Integral to the ASP.NET Core ecosystem, Blazor offers developers a unique combination of server-side rendering and rich client-side interactivity.

  • Nearest Centroid Classification for Numeric Data Using C#

    Here's a complete end-to-end demo of what Dr. James McCaffrey of Microsoft Research says is arguably the simplest possible classification technique.

Subscribe on YouTube