Microsoft Offers Security Lifecycle Tool for VSTS

Teams developing applications using Microsoft Visual Studio Team System 2008 (VSTS 2008) can now better implement Microsoft's security development lifecycle (SDL) process using a new template addition.

On Tuesday, Microsoft released its SDL Process Template for VSTS 2008. The release closely follows the availability of VSTS 2008 beta 1, announced last week, as well as Monday's announcement of Visual Studio 2010 beta and .NET Framework 4.0 beta.

The new SDL Process Template leverages both VSTS 2008 and Team Foundation Server. It supports "auditing for satisfying the security requirements" at organizations developing applications, according to Microsoft's SDL blog. The blog provides a walkthrough showing how the template works.

The new template fulfills a long-awaited need, according to Chenxi Wang, Forrester Research's principal analyst for security and risk management.

"This new release embeds SDL processes inside Visual Studio, which users have been asking for a while now," Wang said. "Other software security vendors have long been producing plug-ins for Visual Studio. But Microsoft had not yet crafted any of their SDL process into Visual studio, and this new announcement represents the beginning of Microsoft doing that."

The embedding of SDL processes also helps because applications increasingly are becoming a security attack vector.

"Attackers are now targeting application vulnerabilities at a much higher rate than vulnerabilities found in the OS or browser," said Rob Sanfilippo, research VP for developer tools and platforms at Directions on Microsoft. "This way, development guidance and tools like those just released by Microsoft can be valuable for ISVs and corporate development teams, even those not using Microsoft's VS development platform."

Microsoft has been publishing its security development guidance based on its internal processes since 2004, Sanfilippo added. He described this latest SDL push "a step forward" but said there are still some enhancements to be made to the process.

"For example, the template doesn't take advantage of new features coming in VSTS 2010 such as modeling and new test features, and the threat model tool could be more tightly integrated with the IDE," he said. "The SDL team releases new offerings approximately annually, so we'll probably see enhancements such as these next year, which should be about six months after VS/VSTS 2010 ships."

The SDL Process Template for VSTS 2008 can be downloaded here.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus


  • Microsoft's Tools to Fight Solorigate Attack Are Now Open Source

    Microsoft open sourced homegrown tools it used to check its systems for code related to the recent massive breach of supply chains that the company has named Solorigate.

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

Upcoming Events