Microsoft takes Security Development Lifecycle to all developers

Microsoft has released a template showing how to implement the Security Development Lifecycle

Microsoft will launch new additions to its Security Development Lifecycle (SDL) programme today, designed to enable all software developers to integrate the SDL more tightly into the development process, and ultimately create a more secure software ecosystem.

A free Visual Studio process template has been made available to download from MSDN, integrating SDL 4.1 into the software development environment for organisations using Visual Studio Team System.

The template provides guidance on how to implement the SDL into development, offering links to online resources and explaining how to extend it to third-party security tools.

"The template integrates policy, process and tools into software development management projects in a very usable way," said Steve Lipner, senior director of security engineering strategy for Microsoft's Trustworthy Computing initiative.

"Most importantly it is measurable, helping organisations assess the effectiveness of existing tools, visualise how well they're doing in terms of the SDL, and find the problems early in the lifecycle."

The template also takes all of the SDL requirements and populates them into Visual Studio as work items, making it as natural a process as possible, according to Lipner.

"The hackers and security researchers are finding vulnerabilities, and they're not just in Microsoft software," he said. "What we've tried to do is share our ideas with the community, in the hope that all software will be made secure."

Microsoft also announced that the same version of SDL is available as a document for organisations to download and apply in their own environments, even if not using Visual Studio. Lipner added that the pro-network of third-party training and consulting companies would expand to include storage area networks and the Science Applications International Corporation.