After years of informally working with its customers to improve their software development processes, Microsoft has announced a formal program to extend its Security Development Lifecycle to customers through a variety of new initiatives.
The company plans to work with a handful of third-party consultancies on a new program called the SDL Pro Network, through which Microsoft customers will be able to learn the secure development processes that the company has created in the last four years for developer training, defining design objectives and implementation of best practices. In addition to the new network, Microsoft also will be releasing a set of guidelines for implementing the Security Development Lifecycle (SDL), called the SDL Optimization Model.
Since the company began its Trustworthy Computing program more than six years ago, Microsoft has gradually released bits and pieces of its internal work to the industry at large. Microsoft employees, most notably Michael Howard, author of The Security Development Lifecycle, have been vocal advocates for building better software from the ground up.
Both the SDL Optimization Model and version 3.0 of Microsoft's Threat Modeling Tool will be available for download in November, the company said. The tool is an internally developed application designed to allow software developers and architects to analyze their projects from a security point of view and identify potential attack vectors and other security issues during the development process. Microsoft has been using the tool internally for several years, but this is the first time the company is making it available to outside organizations.
The SDL Pro Network comprises several security-focused consultancies, including Cigital Inc., IOActive Inc., Leviathan Security Group Inc., iSEC Partners Inc. and Next Generation Security Software Ltd. Many of these companies have worked directly with Microsoft on portions of the SDL and have done assessments of Microsoft's own applications.
"We see Microsoft's launch of the SDL Pro Network as a way to take our best of breed experiences to work collaboratively with other security professionals to develop consistent service offering around SDL. Regardless of the different methodologies in play, we all share the common goal of educating and delivering services that protect our clients' assets and good name through better software security. Any initiative that promotes that ideal is a continued step in the right direction," said Brian Mizelle, managing director and SDL practice manager at Cigital. "Collaborative efforts such as the SDL Pro Network that bring together the best minds in the business can only help improve what we do with our own customers and broaden our thoughts on the subject," Mizelle said.