Microsoft releases free tool for secure software development
As part of its Security Development Lifecycle (SDL), Microsoft has now made a tool available to allow programmers to integrate the knowledge accumulated through SDL into their software development environment. SDL is Microsoft's process for programming software which is as secure and bug free as possible. Within Microsoft, SDL is an integral component of all applications and operating systems developed since 2004.
In order to allow non-Microsoft developers to make use of SDL, the software giant had previously released the specifications and recommendations in the form of written documentation only and adapting a development process to utilise SDL was correspondingly laborious. The company has now released a tool, in the form of the SDL Process Template for Visual Studio Team System, which maps the current SDL version, 4.1, in its entirety.
As Glenn Pittaway, Group Program Manager for the SDL Team, told heise Security, the source code must be present in Visual Studio. If this is not the case, the template is of no benefit. Nonetheless, they have tried to make it as simple as possible for developers familiar with Visual Studio Team System to work with SDL. Even developers lacking specific security expertise should, according to Pittaway, be able to write secure code.
Pittaway was unable to say whether Microsoft would be providing templates for other software development environments, stating that they were waiting for feedback from the developer community and might provide versions which weren't exclusive to Visual Studio if it was clear that the demand existed. In SDL 4.1 Microsoft has, according to Pittaway, placed strong emphasis on online applications. Web services and local applications which are constantly or frequently connected to the web impose a whole new set of security requirements, and this is consequently an area on which the SDL development team has concentrated closely.
Developers who wish to base their own programming process on SDL can adapt the long list of specifications and recommendations to their own requirements and avoid following process steps which are not relevant to them. The template allows each task, such as resolving a bug in the source code, to be assigned to a person or team. The status of any project should be visible at a glance. It is also easy to generate statistics and reports which can be used to assess the effectiveness of external bug-detecting tools.
Pittaway illustrates the importance of developing secure applications with a few statistics. The proportion of all discovered exploits involving the operating system is now down to a little under ten per cent. He notes that the remaining 90 per cent occur in applications and browsers. Pittaway also states that 70 per cent of all application developers do not subject their programs to any security testing prior to release. The US National Institute of Standards and Technology (NIST) has determined that detecting and resolving security problems during the design phase is 30 times cheaper than doing so after the product has been completed.
Dan Kaminsky, recently in the limelight for discovering the DNS cache poisoning vulnerability, also affirms the fitness for purpose of SDL. He is one of the external security experts regularly brought in by Microsoft for source code audits. Kaminsky has told journalists that code generated using SDL is many times better and more secure than code written prior to 2004.