Microsoft builds SDL process into Visual Studio

David Worthington
May 19, 2009 —  (Page 1 of 2)
Microsoft is attempting to demystify its Security Development Lifecycle by transforming it from a written process into a template for automation in Visual Studio.

The SDL is a mandatory process used internally at Microsoft during the development of its products, and Microsoft began to share its SDL expertise and tooling with customers last year to help secure applications further down the Windows stack.

Today, a free download for Visual Studio 2008 Team System called the SDL Process Template became available on Microsoft's MSDN website. Microsoft is also working toward a release of the template for Visual Studio 2010.

Microsoft's objective is to help developers bootstrap internal security efforts, said David Ladd, principal security program manager of Microsoft’s SDL team.

Ladd's team also announced an expansion of the SDL Pro Network, a pilot program that trains security experts in tools and guidance associated with the SDL. The new participants are from Science Applications International Corp., a U.S. government contractor for cyber security initiatives, and the SANS Institute.

The template follows version 4.1 of the SDL document, providing auditable security requirements and project status information, as well as demonstrating a security return on investment, Ladd said. It is designed to provide guidance for customizing the SDL process for individual projects, and it includes an XML schema to import data from testing tools.

The schema is primarily designed for automating the integration of Microsoft's threat-modeling tool, but it also works with third-party tools that can format content for Team Foundation Server, said Ladd.

SDL 4.1 documentation was published today on MSDN. It includes updates to prior requirements and documentation, new guidance for online services and line-of-business application development, and closer alignment to traditional software development life-cycle phases.

"We made [the SDL] more complicated than it actually was," Ladd acknowledged. "Now, we've reduced the SDL to discreet steps. Organizations can make security gains without being security experts." Links are available to SDL documentation online.

A final security review demonstrates the progress that is being made toward completing all SDL tasks and how a team is doing against requirements, Ladd said.

Related Search Term(s): Microsoft, security, Visual Studio

Pages 1 2 

Share this link:

Microsoft releases Visual Studio 2013 Update 1
Targeted update rolls out technology improvements and bug fixes for Visual Studio 2013 Read More...

News on Monday  more>>
Android Developer News  more>>
SharePoint Tech Report  more>>
Big Data TechReport  more>>



Download Current Issue

Need Back Issues?

Want to subscribe?