HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

OSBC focus turns to best practices for open-source adoption
Businesses are no longer asking why they should adopt, but how do they use open source leg...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Microsoft builds SDL process into Visual Studio

By David Worthington

May 19, 2009 —

Microsoft is attempting to demystify its Security Development Lifecycle by transforming it from a written process into a template for automation in Visual Studio.

The SDL is a mandatory process used internally at Microsoft during the development of its products, and Microsoft began to share its SDL expertise and tooling with customers last year to help secure applications further down the Windows stack.

Today, a free download for Visual Studio 2008 Team System called the SDL Process Template became available on Microsoft's MSDN website. Microsoft is also working toward a release of the template for Visual Studio 2010.

Microsoft's objective is to help developers bootstrap internal security efforts, said David Ladd, principal security program manager of Microsoft’s SDL team.

Ladd's team also announced an expansion of the SDL Pro Network, a pilot program that trains security experts in tools and guidance associated with the SDL. The new participants are from Science Applications International Corp., a U.S. government contractor for cyber security initiatives, and the SANS Institute.

The template follows version 4.1 of the SDL document, providing auditable security requirements and project status information, as well as demonstrating a security return on investment, Ladd said. It is designed to provide guidance for customizing the SDL process for individual projects, and it includes an XML schema to import data from testing tools.

The schema is primarily designed for automating the integration of Microsoft's threat-modeling tool, but it also works with third-party tools that can format content for Team Foundation Server, said Ladd.

SDL 4.1 documentation was published today on MSDN. It includes updates to prior requirements and documentation, new guidance for online services and line-of-business application development, and closer alignment to traditional software development life-cycle phases.

"We made [the SDL] more complicated than it actually was," Ladd acknowledged. "Now, we've reduced the SDL to discreet steps. Organizations can make security gains without being security experts." Links are available to SDL documentation online.

A final security review demonstrates the progress that is being made toward completing all SDL tasks and how a team is doing against requirements, Ladd said.

"People cannot execute anything flawlessly, no matter how well-defined or well-explained," said Rex Black, president of Rex Black Consulting Services. As an example, he noted that many of his clients find reasons not to execute automated unit testing even though it is a clear rule for agile development.

"In the same way, people will carve out exceptions to the SDL for themselves, in some cases for legitimate reasons, in some cases not. This increases the percentage of security bugs that slip past," he said.

A dashboard is provided with the SDL template for development managers to track the progress that is being made toward meeting SDL requirements, Ladd said. He noted that many organizations are hesitant to implement an SDL type process without clear payback on investment.

The template allows project owners to give requirement updates, and it pumps data into Team Foundation Server, he added. An SDL document library is available to process participants through a SharePoint site.

"Even if a strategy is executed flawlessly, no strategy for dealing with risk (including security risk) is 100% effective. So, bugs will remain," Black concluded.

Related Search Term(s): Microsoft, security, Visual Studio

Share this link: http://www.sdtimes.com/link/33493

Microsoft adds runtime intelligence, anti-tampering features to VS 2010 Working with PreEmptive Solutions and its Dotfuscator product, Visual Studio 2010 will see more instrumentation capabilities and improvements to its code security. Developers can also take advantage of a new runtime intelligence streaming service.

Visual Studio Team System 2010 delivers on Microsoft’s vision for ALM Team Foundation Server adds new ALM capabilities to Visual Studio Team System 2010 in hopes of improving developer efficiency

Microsoft to ship jQuery with Visual Studio The popular open-source JavaScript library will be fully supported by Microsoft. The company is also planning to ship a version of jQuery that is designed to work better with Visual Studio.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST