News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010

2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)

2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo

2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse

2/21/2010 to 2/24/2010
Las Vegas
IBM

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.

The Agile Heartbeat When an organization goes Agile, who’s the most affected? Programmers? Testers? Stakeholde...

Open Source Community Practices in the Enterprise In the enterprise, open source software is recognized for the cost savings it delivers whe...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Microsoft builds SDL process into Visual Studio

By David Worthington

May 19, 2009 —

Microsoft is attempting to demystify its Security Development Lifecycle by transforming it from a written process into a template for automation in Visual Studio.

The SDL is a mandatory process used internally at Microsoft during the development of its products, and Microsoft began to share its SDL expertise and tooling with customers last year to help secure applications further down the Windows stack.

Today, a free download for Visual Studio 2008 Team System called the SDL Process Template became available on Microsoft's MSDN website. Microsoft is also working toward a release of the template for Visual Studio 2010.

Microsoft's objective is to help developers bootstrap internal security efforts, said David Ladd, principal security program manager of Microsoft’s SDL team.

Ladd's team also announced an expansion of the SDL Pro Network, a pilot program that trains security experts in tools and guidance associated with the SDL. The new participants are from Science Applications International Corp., a U.S. government contractor for cyber security initiatives, and the SANS Institute.

The template follows version 4.1 of the SDL document, providing auditable security requirements and project status information, as well as demonstrating a security return on investment, Ladd said. It is designed to provide guidance for customizing the SDL process for individual projects, and it includes an XML schema to import data from testing tools.

The schema is primarily designed for automating the integration of Microsoft's threat-modeling tool, but it also works with third-party tools that can format content for Team Foundation Server, said Ladd.

SDL 4.1 documentation was published today on MSDN. It includes updates to prior requirements and documentation, new guidance for online services and line-of-business application development, and closer alignment to traditional software development life-cycle phases.

"We made [the SDL] more complicated than it actually was," Ladd acknowledged. "Now, we've reduced the SDL to discreet steps. Organizations can make security gains without being security experts." Links are available to SDL documentation online.

A final security review demonstrates the progress that is being made toward completing all SDL tasks and how a team is doing against requirements, Ladd said.

"People cannot execute anything flawlessly, no matter how well-defined or well-explained," said Rex Black, president of Rex Black Consulting Services. As an example, he noted that many of his clients find reasons not to execute automated unit testing even though it is a clear rule for agile development.

"In the same way, people will carve out exceptions to the SDL for themselves, in some cases for legitimate reasons, in some cases not. This increases the percentage of security bugs that slip past," he said.

A dashboard is provided with the SDL template for development managers to track the progress that is being made toward meeting SDL requirements, Ladd said. He noted that many organizations are hesitant to implement an SDL type process without clear payback on investment.

The template allows project owners to give requirement updates, and it pumps data into Team Foundation Server, he added. An SDL document library is available to process participants through a SharePoint site.

"Even if a strategy is executed flawlessly, no strategy for dealing with risk (including security risk) is 100% effective. So, bugs will remain," Black concluded.

Related Search Term(s): Microsoft, security, Visual Studio

Share this link: http://www.sdtimes.com/link/33493

Microsoft adds runtime intelligence, anti-tampering features to VS 2010 Working with PreEmptive Solutions and its Dotfuscator product, Visual Studio 2010 will see more instrumentation capabilities and improvements to its code security. Developers can also take advantage of a new runtime intelligence streaming service.

Visual Studio Team System 2010 delivers on Microsoft’s vision for ALM Team Foundation Server adds new ALM capabilities to Visual Studio Team System 2010 in hopes of improving developer efficiency

Microsoft to ship jQuery with Visual Studio The popular open-source JavaScript library will be fully supported by Microsoft. The company is also planning to ship a version of jQuery that is designed to work better with Visual Studio.

Add comment

Name*
Email*
Country

Comment
Preview

Microsoft builds SDL process into Visual Studio

By David Worthington

Related Articles

Add comment