Microsoft has been releasing small bits and pieces of its internal security program for a couple of years now, and on Monday the company took that a big step farther by publishing its Security Development Lifecycle Optimization Model and the attendant SDL Threat Modeling Tool. These are sort of the crown jewels of the security program that Microsoft has been working on since Bill Gates’s famous Trustworthy Computing memo. The SDL itself is the heart of the changes the company has made, and Microsoft officials have been talking it up for years. Other software vendors have implemented similar programs, but it’s still more the exception than the norm.
The SDL Threat Modeling tool is a companion to the SDL and is supposed to be used by developers to find and diagnose threat vectors in their applications and then figure out some mitigations for those problems. Neither of these is a cure-all, but Microsoft has spent a whole pile of money on both the SDL and threat modeling, and if your development organization doesn’t have that kind of cash, it couldn’t hurt to have a look.