Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.
Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify, and Veracode.
This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider, I think it is important for several reasons:
I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.
One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit SAFECode.org, an organization focused on Software Assurance.
Related posts:
Tags: Cyber Supply Chain Assurance Model, Federal Government, Microsoft, SAFECode, SDL
Name (required)
Mail (will not be published) (required)
Website
Your email: