Microsoft Offers SDL Tools to the Masses
Microsoft's Secure Development Lifecycle initiative introduces a set of dev requirements aimed at reducing security defects in software.
Microsoft is helping application developers build more secure code with two programs and a new tool developed in-house, as part of the company's Secure Development Lifecycle (SDL) initiative.
Microsoft last month released the SDL Optimization Model, Pro Network and Threat Modeling Tool. The offerings bring Redmond's best practices to the masses.
The SDL is a set of dev requirements aimed at reducing security defects in software. The process outlines a series of security-focused activities for each phase of the software development process. Before software subjected to the SDL can be released, it must undergo a final security review by a team independent of its dev group.
"The SDL has proved itself at Microsoft," says Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "Our own developers use it, we've reduced vulnerabilities in our software, and we feel pretty good about that."
Most interesting is the Threat Modeling Tool. Used for several years in-house at Microsoft, version 3.0 provides developers with early and structured analysis of potential security problems in their apps in the form of "thread-model documents," says Adam Shostack, senior program manager of Microsoft's SDL Team.
The tool saves the document as an XML file, he says, which can be exported to HTML and MHT using the included XSLTs. The tool is based on the threat-modeling methodology developed by Redmond for its own dev teams. It's available free for download here.
The SDL Optimization Model is a "security assurance" process, Shostack says, developed to "facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside Microsoft." Aimed at dev managers and IT policy makers, the model provides a framework for assessing the state of the security during development, and "create a vision and roadmap for reducing customer risk." The model is also free.
The SDL Pro Network combines SDL best practices with the expertise of a network of security consultants, Shostack says. These experts will offer SDL-based services, including training and design consulting.
Analysts and security experts praise Microsoft's latest implementation of the SDL. "Those guys have done a really nice job of rolling out software security to the developers at Microsoft," says Gary McGraw, CTO of software security consulting firm Cigital Inc. "I'm happy to see them talking about how they did that with other developers."