Microsoft to support secure software development
Microsoft wants to support companies' efforts to introduce security-oriented software development processes. These efforts take the form of three components that Microsoft wants to make available starting in November 2008: a new version of the SDL Threat Modelling Tool, the SDL Optimization Model, and the SDL Pro Network.
Since Bill Gates' legendary memo six years ago, there has been a significant change to the level of importance the company places on security. One of the most important consequences of the change was the introduction of the Security Development Lifecycle (SDL), that all Microsoft products now pass through. It starts with developer training, influences the design phase, then detects bugs across the complete lifecycle of the software -- from implementation, to release, to bug reports. Now other software vendors will also be able to profit from the experience gathered using this concept.
The SDL Threat Modelling Tool makes it possible to represent a software or service architecture graphically, helping to reveal potential dangers as early as the design phase. The tool is intended more for software architects than for security experts; a Microsoft video – WMV file – illustrates how it works. Version 3.0 will be available as a free download starting in November.
The SDL Optimisation Model is a kind of guide, based on Microsoft's concept and implementation, to setting up and optimising a secure development process. In the framework of the SDL Pro Network, nine security companies working closely with Microsoft will offer concrete, practical assistance in taking such a step.
Along with Cigital, IOActive, iSEC Partners, Leviathan Security Group, n.runs AG, Security Innovation, Security University, and Verizon Business, the UK company Next Generation Security Software, based in Surrey, will take part in the year-long pilot programme. These service providers will offer both comprehensive SDL related training, and project related assistance.