Microsoft announced that it would make available three Security Development Lifecycle (SDL) programs and tools to help the industry improve security and privacy technology.
The SDL Optimization Model, the SDL Pro Network, and the Microsoft SDL Threat Modeling Tool are expected to be available this fall.
Microsoft developed SDL in 2004 to address security vulnerabilities in its software. It's credited with reducing vulnerabilities in Vista and SQL Server.
“The need to build and preserve trust in computing, coupled with the need to protect critical infrastructures, means that all software vendors must build security and privacy into their products,” Steve Lipner, Microsoft's senior director of security engineering strategy, Trustworthy Computing Group told SCMagazineUS.com on Wednesday. “The Microsoft Trustworthy Computing Group is committed to help make the online world more secure for customers. One way we're doing this is by sharing our SDL best practices and making the tools freely available to organizations outside of Microsoft.”
For the software industry, Lipner added, the key to meeting today's demand for improved security and privacy is to implement repeatable processes that reliably deliver measurably improved security and privacy.
“Such a process is intended to minimize the number of security vulnerabilities in the design, coding and documentation, and to detect and remove those vulnerabilities as early in the development lifecycle as possible.”
The Microsoft SDL threat modeling tool provides automatic guidance on creating the threat models and analyzing them. The tool also integrates with vulnerability tracking systems and incorporates the threat modeling process into the standard development process.
The SDL Optimization Model is designed to help create a long-term plan for building and achieving security assurance in software. The model identifies cost-effective ways to attain measurable security process improvements with realistic resources.
Both of those offerings are free.
The SDL Pro Network members are security consultants from the United States and Europe who specialize in application security.
While SDL won't solve all security problems, Matt Sergeant, senior anti-spam technologist at MessageLabs, a business security services company, said it will be helpful in allowing organizations to put a good security structure in place.
“It's a good thing that people will have access to SDL,” Sergeant told SCMagazineUS.com. “It will make security a focus for companies.”