Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.

Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify, and Veracode.

This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider, I think it is important for several reasons:

1. It is easy to blame Microsoft for security problems, but these accusations are often based on history, not present reality. The fact is that all of Microsoft’s products go through SDL and Microsoft is promoting SDL on its own dime. Yes, other software vendors have their own software assurance processes and tools, but no other vendor is as open about its own SDL or working as hard to stress the importance of secure software development.
2. SDL is growing on all fronts. The model itself, adaptation to different development models, integration with development and testing tools, and more and more professional services firms. Again, Microsoft isn’t making money on SDL, but it continues to invest here.
3. If you don’t know SDL, you will soon. Whether it is Microsoft’s SDL or another similar model, secure code development will become a standard in the near future. Why? As the Federal Government embraces cyber supply chain assurance, you won’t be able to sell ANY technology products to the government unless you adhere to an SDL model. The same will hold true in other critical infrastructure industries like financial services, telecommunications, utilities, etc.

I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.

One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit SAFECode.org, an organization focused on Software Assurance.

Related posts:

1. Security Development Lifecycle (SDL) for Agile Development
2. The Rise of Free — and Fake — Antivirus Software
3. Cybersecurity Supply Chain Management
4. Fake Intel Chips and Energizer Bunny Trojans: What’s going on?
5. Microsoft Offers Consolidated Security Offering

Tags: Cyber Supply Chain Assurance Model, Federal Government, Microsoft, SAFECode, SDL