Microsoft Security Development Lifecycle - Secure software made easier.
Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software. How a customer gains confidence in acquired software is a frequently asked question of developers. The latest SAFECode blog discusses three approaches that a customer can use to assess the security of acquired software with varying levels of confidence.
Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool – Microsoft Threat Modeling Tool 2014. It’s available as a free download from Microsoft Download Center here.
Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.
For those who would like more of an introduction to threat modeling, please visit Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach. But, without further ado, let’s dig into the fun stuff – the new features of Threat Modeling Tool 2014. Read more
Today, we are excited to announce the general availability of a new version SDL process templates:
This version of the SDL Process Templates is specific to the Microsoft Security Development Lifecycle version 5.2.
The SDL Process Templates automatically integrate policy, process and tools associated with the Microsoft Security Development Lifecycle (SDL) in Visual Studio 2013 and Visual Studio Team Foundation Server (TFS). With the process templates code checked into the Visual Studio TFS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The templates also create security workflow tracking items for manual SDL processes such as threat modeling to ensure that these important security activities are not accidentally skipped or forgotten. Read more
To mark the 10 year anniversary since the creation of the Security Development Lifecycle, we wanted to tell the behind-the-scenes story of how the SDL came to be. Back in 2004, Microsoft decided that if we were going to succeed at building trust with our customers, security could not be an afterthought when developing our products and services. So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code? How do you get everyone marching toward the same goal? Hear from some of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft. Get the never-before told inside story on Microsoft security: www.sdlstory.com
Registration is now live for the Security Development Conference 2013, hosted in San Francisco, CA on May 14 – 15, 2013. If you register today you’ll save 50% off the normal registration fee.
This year’s conference will include keynote speakers Edna M. Conway, Chief Security Strategist, Cisco Systems Inc.; Brad Arkin, senior director, Security, Adobe products and services; and Scott Charney, corporate vice president, Trustworthy Computing, Microsoft Corp. Event tracks will include: Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security. Track sessions will cover the latest in proven security development techniques that help reduce risk and protect organizations in the ever-changing technology landscape.
The Security Development Conference brings together IT security professionals to network, learn and discuss secure development best practices. Attendees from around the world will hear from leading security experts, build their professional networks, and learn how to implement or accelerate adoption of secure development practices within their own organizations.
For more information, I encourage you to check out the website at www.securitydevelopmentconference.com.
Steve LipnerPartner Director of Program ManagementMicrosoft Trustworthy Computing
Doug Cavit here. I’m happy to announce that we have now released The SDL Chronicles. We have been working with many outside institutions to help document their secure application development journey and what they learned. Together, these stories make up The SDL Chronicles. It is really interesting to me to see all these stories collectively rather than as individual pieces. It is much easier now to see the similarities in what all of these institutions underwent in understanding the new challenging threat landscape. They then built consensus for not just doing the “quick fix” but for solving the problem systemically through a cultural shift. From this effort they were able to realize not only the benefits of enhanced security but also reaping direct benefits for doing the right thing in terms of more productivity and an excellent ROI. All of these stories conclusively show that process and culture matters and while it may take some time and resources the net result is worth the investment.
Last year we released a beta version of our free Attack Surface Analyzer tool. The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers. Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download.