Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hi everyone! Jeremy Dallman here. I would like to announce a new and easier way to integrate the SDL into your development lifecycle.
In the year since we released the Microsoft SDL Process Guidance documentation, companies interested in adopting the SDL have often asked us “where do I start”? In the past year, we’ve provided the SDL Optimization Model, The SDL Threat Modeling Tool, and the SDL Pro Network as great options to get you started. Quite often, the follow-up comment has been “I just need a way to practically apply the SDL in my development lifecycle… can’t you just put it into Visual Studio?” In order to successfully integrate security into their development process, the people who own a security initiative realize that they need to introduce secure development practices and the SDL with minimal impact on their existing development frameworks and as part of the familiar environment.
The SDL Process Template is a free downloadable template for Visual Studio Team System that integrates the SDL directly into a customer’s software development environment. Because it integrates with the team and process features of Team System, you do need a Team Foundation Server to manage your work. This is our first comprehensive offering that addresses all phases of the SDL from Requirements through Release.
By taking advantage of the rich functionality in Visual Studio Team System and Team Foundation Server, we are now able to offer an SDL solution that reduces the barrier to entry for SDL adoption, provides auditing for satisfying the security requirements, and demonstrates security return on investment. The SDL Template is intended to provide the foundational components of the SDL for every phase of your development project.
We hope you will take the time to download the SDL Process Template and consider using it to integrate security and the SDL into your team project. If you do not currently use Visual Studio Team System, but would like to evaluate the SDL Process Template, evaluation versions in both VPC and Hyper-V environments are available for download. You can simply upload the SDL Process Template into that virtual environment and check it out for yourself.
Here is a quick preview of the basic functionality the SDL Process Template offers:
After installation completes and a new Team Project is created, the first page that appears is the Process Guidance page. This page provides everyone on the project with:
Below: The SDL Process Guidance “front page”
Since SharePoint is included with Visual Studio Team System, The basic SharePoint site provides a single location for all project participants to get a common view of project status, related announcements and dates, and access the large document library.
Below: the SharePoint site serves as a project dashboard
By selecting the “All SDL Tasks” query the team can find the pre-populated list of all SDL Requirements and Recommendations. No more trying to figure out where to start when it comes to defining security requirements! The SDL Template also provides a custom work item that allows you to create and add your own unique requirements or recommendations.
Below: all SDL Requirements and Recommendations pre-loaded and ready to triage
Developers care about security, but they want it to be intuitive. We have provided check-in policies that will ensure every set of code is taking advantage of the SDL required compiler/linker flags and Code Analysis features already in Visual Studio. This will eliminate entire classes of security weaknesses from your code. A Security Code Review work item is also included to support enforcement of security code reviews for security-sensitive code.
Below: Setting Check-in policies
Below: Check-in policies in action
Testers want to be able to emphasize the importance of a security bug and properly communicate the impact to their product. The default “bug” work item now has customized security fields so you can identify security cause, severity, and security effect (using STRIDE), and mark a bug as Blocking or Not Blocking. This feature allows you to track and search for security-specific bugs.
Below: Identifying a bug as a security issue
The entire team and especially senior management want an easy-to-read document that summarizes the security work completed. The Final Security Review Report and Security Bugs Report provide an auditable set of evidence that details security work completed as well as deferred tasks.
Below: Page 1 of the Final Security Review
Below: Page 2 of the Final Security Review
Threat modeling is a critical part of your early design process. It informs architects of the attack surface, provides insight for the developers to write more secure code, and enables testers to more effectively build test cases to verify mitigations. The SDL Process Template includes a script that will convert SDL Threat Modeling tool issues into security bugs and hook into the reporting piece of the template.
We hope you will take a look at the SDL Process Template and consider using it to ease adoption of the SDL in your development teams. As we move forward with more SDL offerings, our plan is to integrate any tools and guidance into the SDL Process Template – making it a dynamic foundation for an end-to-end SDL solution.
We look forward to your feedback as you download and begin using the SDL Process Template to make your code more secure.
I’ve been a firm believer of integrating as much security tooling as possible into the development process
The Security Development Lifecycle Blog has just announced some exciting news :  They have developed
Our Security Development Lifecycle (SDL) team has release a process template for Team Foundation Server
Todo comenzó con un mail de Bill Gates . La seguridad era la gran prioridad y Michael Howard ha