SDL for dummies
Microsoft has made another attempt to convince the global developer community that its Secure Development Lifecycle (SDL) is not just for large software vendors, but also for smaller software forges by publishing a paper entitled "Simplified Implementation of the Microsoft SDL". This aims at familiarising small developer teams with the SDL and instead of a hundred page epic, explains the minimum requirements for complying with the SDL in 18 concise pages.
It seems Microsoft has come to the conclusion that many programmers ignore the SDL because they consider it too complex and involved. However, according to Microsoft's Security Intelligence Report v7 (SIR), it's now more more necessary than ever that developers outside the realm of Microsoft also mind their application security: the SIR states that 81% of all security holes were discovered in applications (excluding web browsers), and that 5% were found in Microsoft products. The remaining vulnerabilities involve browsers.
The new installation guide attempts to demonstrate that using the SDL to make developed applications more secure does not require any additional time or financial effort. As the SDL's tips and guidelines are not designed specifically for Windows, the SDL is also said to benefit programmers who develop on other platforms.
At the same time, Microsoft has made a free template available to download which allows the SDL to be used with the Microsoft Solutions Framework (MSF) for Agile Software Development. The template is designed to perform an SDL compliance test on any code that is to be included in the Visual Studio Team System (VSTS) environment.
SDL users are to have access to third party tools from now on. For this purpose, the SDL Pro Network has been given a new "tools" category. The SDL Pro Network includes vendors such as the German nruns AG, which are to assist other developers with using the SDL. The first members in the tools category are Fortify, Veracode and Codenomicon.