Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hi all, Dave here…
I’m pleased to announce the availability of new resources for the Microsoft Security Development Lifecycle (SDL).
We have recently launched a dedicated SDL website at www.microsoft.com/sdl. This website will serve as the main online presence for all SDL related communications and resources from Microsoft.
For several years now the SDL has been at the heart of Microsoft’s strategy for making security and privacy an integral part of the software development culture at Microsoft. As a result of the SDL, we have seen significant security improvements across many flagship Microsoft products including Windows, SQL Server and others. These security improvements have been widely recognized by security analysts, researchers and other experts. However, despite the significant improvements and recognition, we believe that our connections to our broad technical audiences (developers and IT Pros) are not equating the SDL to the progress we have made with our technologies and services.
Given that, our goal is to help illustrate SDL processes and tooling in a structured and consistent manner – by providing actionable guidance for the different job roles within a development organization.
We welcome your feedback – on the site, and on other information you’d find useful in evaluating the SDL.
I really like the site. This information will be useful in our organisation.
One minor issue - on the front page of the site you say:
"According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release."
We all like to have some real figures to back up SDL-type initiatives. Did you get that "30 times" figure from the linked document's Table 5-1 ("Post-product release relative cost - 30X"). If so, did you notice that it said "example only"?
Hi VFieldhouse - thanks for the comments...
To answer your question about the NIST number - yes we were aware of it being presented as an example; that's why we used the phrase "can cost" instead of "will cost" 30 times less... ;)
Obviously there are a lot of factors that can affect the overall cost of fixing a vulnerability. We have seen other cost estimates from IT analyst firms, (which in some cases also quote the NIST study) that are quite similar. Finally, we believe that the number is within the bounds of reality based on anecdotal evidence from ongoing discussions with many of our customers (who shall remain unnamed) and trading notes with other ISVs.
I've been working with SDL quite a bit. I'm a researcher at North Carolina State University, and I'm investigating SDL for use with a system developed here. The Virtual Computing Laboratory (VCL) is a rack-mounted system that hosts computer labs, and it is open-source and well funded.
Microsoft's SDL is the best security-development process I've found. Our experiences with SDL may be of interest to you all, e.g., you mentioned a need to better promote SDL. I've run into some problems that I've had to figure-out how to work around. Also, I'm writing a technical report with a survey of security-development processes (e.g., SDL, NIST's, etc.), and a plan for adapting SDL for our security development.
If someone on your security team would be interested in our experiences in using SDL, I think the dialog could be mutually beneficial. I have a PhD in computer security and also a background in operating-systems development at IBM.