Microsoft shares its SDL tools and expertise with the developer community

02 February 2010

According to Microsoft Security Intelligence Report, in the last six months of 2009, 81% of reported vulnerabilities were in application software products. Increasingly crime-motivated cyber threats and the competitive marketplace means that application developers are being challenged to engineer more secure products. Developers want to do the right thing but have been put off by difficulties in acquiring specialist security expertise and assumptions of huge additional cost and resource.

The Security Development Lifecycle (SDL), a security assurance process designed to reduce the number and severity of security vulnerabilities in software, was developed by Microsoft and managed by the Trustworthy Computing group, became mandatory for all Microsoft products in 2004.

Based on a belief that more secure code benefits everyone, Microsoft is committed to sharing its SDL tools, expertise and guidance with the broader developer community. To date more than 48,000 developers have downloaded four free SDL tools and 78,000 have downloaded free SDL guidance.

At Black Hat DC in Washington DC, Microsoft’s Trustworthy Computing group is making three further announcements designed to share its SDL expertise:

Simplified Implementation of the Microsoft SDL

Many developers avoid secure development practices because they think it will cost too much and require huge resources. They are also put off adopting Microsoft’s SDL because they believe it is exclusively for the Microsoft platform. This white paper explains how the SDL can be implemented with limited resources and applied to other platforms.

MSF Agile + SDL

Microsoft will release Microsoft Solutions Framework for Agile Software Development plus Security Development Lifecycle (MSF Agile + SDL) Process Template for Visual Studio Team System (VSTS) 2008 beta (planned for release at the end of Q2). It will also announce that the MSF Agile + SDL process template for Visual Studio 2010 will be released shortly after Microsoft releases Visual Studio 2010 (currently scheduled for April 2010).

With the MSF-Agile+SDL template, any code checked into the VSTS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The template also automatically creates workflow tracking items for manual SDL processes such as threat modelling to ensure that these important security activities are not accidentally skipped or forgotten. Finally, they integrate with the other SDL tools, including the SDL Threat Modelling Tool, the Binscope Binary Analyzer, and Minifuzz.

Expansion of SDL Pro Network

Microsoft will expand the SDL Pro Network, which was set up in November 2008. SDL Pro Network members are specialist security organizations that offer services to help organizations adopt the SDL.

At Black Hat D.C. Microsoft will announce the creation of a Tools membership category to complement the Consulting and Training categories. Tools members are companies that are able to deploy a range of security tools, such as static analysis tools for the Implementation Phase and dynamic and binary analysis tools for the Verification phase.

Finally, Microsoft will announce seven new members of the SDL Pro Network:
· Fortify (Tool Member)
· Veracode (Tool Member)
· Codenomicon (Tool Member)
· Booz-Allen Hamilton(Consulting Member)
· Casaba Security (Consulting Member)
· Consult2Comply (Consulting Member)
· Safelight Security Advisors (Training Member)

More information about the Microsoft SDL Pro Network and tools available through the SDL portal