Microsoft SDL Process Template aims to fix software security in design phase
Microsoft today released a new security tool for Visual Studio Team System that aims to help developers create more secure code. The Security Development Lifecycle (SDL) Process Template integrates SDL process guidelines into VS to help developers create code that's both secure and privacy-enhanced. For developers not running VS, Microsoft also announced SDL 4.1, which updates SDL documentation and provides guidelines and best practices.
"The majority of security work happens between test and deployment, but that's when cost to fix is most expensive," said David Ladd, principal security program manager of Microsoft’s SDL team. "The point of SDL is to get security into the early part of the development lifecycle. It costs 30 times less to fix security problems in the design phase."
The SDL Process Template for Visual Studio Team System is a free download that's based on the also-announced latest version of SDL documentation, SDL 4.1. "We wanted to reduce SDL from a series of documents to making it automated," Ladd said, "And incorporate guidance into a tool thousands of developers use." The tool and the documentation are primarily aimed at enterprise and Internet-facing organizations.
What It Does and Why
The tool integrates policy processes and tools and integrates into the everyday tasks of developers. It offers a preloaded superset of work items in SDL and information on how to customize them. It also offers a way to assess the effectiveness of existing security tools, whether Microsoft or third-party tools, Ladd said. And it offers developers a way to reduce the learning curve of taking on SDL, offering security gains without requiring developers to become security experts.
The tool is integrated with Microsoft SharePoint technology, providing a single site where all participants in a software development project can view information and stay updated on the progress of the project. It offers a final security review showing the status of SDL tasks.
"If you're an app developer and security is a priority for you, yeah, there's a little bit of a learning curve," Ladd said, but the results, he said, make it worth any time spent becoming familiar with the tool.
The release of SDL 4.1 documentation tracks directly to the SDL Process Template in VS, he said, and offers insight into how Microsoft does privacy and security. "If you're not using Visual Studio, you can still extract every requirement and use it on your non-Microsoft-based product," he said.
Microsoft’s SDL team works to perfect a software security assurance process that has helped to embed security and privacy in Microsoft software and culture since 2004. It's the result of the 2002 Bill Gates memo that launched the Trustworthy Computing Initiative. SDL is what Microsoft points to to explain the decline in vulnerabilities reported in SQL Server 2005 and Windows Vista, compared to their predecessors.
Ladd cited the reduction in vulnerabilities in SQL Server over three years and attributed them to SDL. SQL Server 2000 had 34 critical vulnerabilities and SQL Server 2005 had 3.
"OSs were rich targets," Ladd said, before SDL improvements made attacks more difficult. "Now applications have become fertile hacking ground."
Microsoft also announced the addition of two service providers to Microsoft's nine-member SDL Pro Network: the SANS organization and SAIC, a government contractor in cyber security. For customers who want assistance with SDL, the network of eleven service providers offers additional expertise in SDL.