Microsoft moves to simplify and enhance its SDL range

Microsoft has bolstered its security development lifecycle (SDL) range with a new tool, program and white paper.

They are all being launched at the Black Hat conference in Washington DC. The company claimed that the SDL "pond may have seemed quiet over the holidays, but we have three new announcements we hope will make ripples for developers and organisations who want to adopt the SDL".

The tool is the first public beta of the new MSF for Agile Software Development plus SDL Process Template for visual studio team system (VSTS) 2008, or 'MSF-A+SDL'. It said that like the SDL Process Template released last year, this template will help teams to integrate secure development processes directly into their VSTS development environment.

With the MSF-Agile+SDL template, any code checked into the VSTS source repository by the developer is analysed to ensure that it complies with SDL secure development practices. The template also automatically creates workflow tracking items for manual SDL processes, such as threat modelling, to ensure that these important security activities are not accidentally skipped or forgotten.

They also integrate with other SDL tools, including the SDL threat modelling tool, the Binscope binary analyser and Minifuzz.

David Ladd, principal security program manager of Microsoft's SDL team, said: “In the past one-and-a-half to two years, we were hoping to get into the hands of the developers, and people are taking a look and we hope what we are putting forward now is getting a job done.”

He further commented that MSF is targeted at developers and is a free download to anyone who has the ability. Also, combined with the expansion of the SDL Pro Network to include a new category of membership called Tools, Ladd said that it is a template of the actual way of doing the process.

Tools has been added to the network to complement the existing consulting and training categories, and members will be able to deploy security tools such as static analysis tools, 'fuzzers' or dynamic and binary analysis tools.

The Pro Network has also been expanded to include seven new members: Fortify, Veracode and Codenomicon as tool members, Booz Allen Hamilton, Casaba Security and Consult2Comply as consulting members, and Safelight Security Advisors as a training member.

Finally, a simplified SDL whitepaper has been released to clear misconceptions about the Microsoft SDL by explaining how the SDL can be implemented with limited resources and applied to any platform.

Ladd said: “This is a follow on in three ways, it is the same programme, but it networks to SDL to make changes to developers to make it easier, and the tool makes improvements to the developer community.”

See original article on scmagazineus.com