Microsoft bids to boost Agile security

Microsoft announced the news at its annual TechEd conference in Berlin

Microsoft’s Trustworthy Computing Group has released new guidance to enable programmers using the Agile software development methodology to employ its Security Development Lifecycle (SDL) process.

The guidance, which was announced today at the vendor’s TechEd Europe 2009 conference in Berlin, is intended to extend security best practice to the ever-growing Agile development community.

“A well-managed software security programme is a good investment at any time and can help minimise security-related maintenance costs, while providing customers with a more secure experience,” said Steve Lipner, senior director of security engineering strategy for Microsoft’s Trustworthy Computing Group.

According to Forrester Research in its report From Agile Development to Agile Engagement, which was published in May this year, some 85 per cent of IT professionals have either adopted or are in the process of adopting Agile methods.

The Agile methodology focuses on iterative software development, whereby both requirements and deliverables evolve through collaboration between cross-functional teams. It is a disciplined project management-based process that encourages the rapid development of high-quality software by focusing on frequent reviews, adaptation and teamwork.

This contrasts with more traditional waterfall methods of development where specifications are clearly defined in detail in advance and teams work on pre-determined features and tasks over the entire length of a scheduled development process. This makes it difficult to change direction if alterations are required.

Microsoft created its Security Development Lifecycle (SDL) in 2004 following widespread criticism about the security of its software. The SDL is an attempt to share lessons learned and comprises a raft of tools and best practice guidance.