Wednesday, November 19, 2008

Updates to Microsoft Security Development Lifecycle

Microsoft introduced updates to its Security Development Lifecycle (SDL) Program in November. The updates include:

SDL Pro Network - a group of security service providers that specialize in application security and have been trained by Microsoft in the tools and guidance associated with its Security Development Lifecycle.

The one-year pilot program started in November 2008 and consists of nine companies (in alpha order):

Cigital Inc., Dulles, Va.
IOActive Inc., Seattle
iSEC Partners Inc., San Rafael, Calif.
Leviathan Security Group Inc. Westminster, Colo.
Next Generation Security Software Ltd. (NGS), Sutton, United Kingdom
n.runs AG, Oberursel, Germany
Security Innovation Inc. Wilmington, Mass.
Security University Inc., Stamford, Conn. - training services only
Verizon Business, Basking Ridge, N.J

Microsoft SDL Threat Modeling Tool 3.0 – Version 3 of the Microsoft SDL Threat Modeling Tool contains new features which include:

Automation: Guidance and feedback in drawing threat diagrams
STRIDE Framework: Guided analysis of threats and mitigations
Integration: Issue-tracking systems
Reporting capabilities: Security activities and testing in the verification phase

The tool requires Visio 2007, demo version or better for installation.

SDL Optimization Model




The update to this model is structured around five capability areas that roughly correspond to the phases within the software development lifecycle:

• Training, policy, and organizational capabilities
• Requirements and design
• Implementation
• Verification
• Release and response


Additionally, the model now defines four levels of maturity for the practices and capabilities in these areas—Basic, Standardized, Advanced, and Dynamic.








The SDL Optimization Model consists of an introduction, a self-assessment guide and three implementation guides, all contained within a single downloadable zip file in Microsoft Office 2007 format, which means that you will need Office 2007, or the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats in order to view it.

The Introduction contains an overview of the SDL Optimization Model and how to use it.

The Self Assessment Guide contains a questionnaire for mapping your current secure development practices to the SDL maturity levels.

Three Implementer’s guides (Basic-Standardized, Standardized-Advanced, and Advanced-Dynamic) provide detailed and actionable guidance on the necessary steps for moving up the SDL maturity levels in each of the five capability areas.

Each Implementer’s guide contains valuable links to relevant publications, practices, tools, and checklists for Microsoft and Non-Microsoft development environments.

The goal of the SDL Optimization Model is to take security practices from a reactive to a proactive stance. That goal isn’t necessarily best reached by starting with the earliest phases. Peter Drucker once. said: “If you can’t measure it, you can’t manage it.”

Your organization may find it more effective to adopt the SDL by starting with improvements to incident response, and defect tracking which identifies security, privacy, and compliance related defects. Knowledge of incidents in the field will provide information regarding the kinds of issues that should have been tested for during verification. Defect tracking which identifies security, privacy and compliance related defects will allow you to identify and track concrete metrics and show measurable improvements as the process matures. These metrics will drive executive commitment and justify ongoing resources devoted to SDL optimization.