Jeremy Dallman here to introduce four new companies that have joined our SDL Pro Network.
Today, Accuvant Labs, Conviso Application Security, Lockheed Martin, and Verizon Business EMEA joined this network of security consultants, training companies, and tool providers that specialize in application security and have substantial experience with the methodology and tools of the SDL. Each of these companies have established service offerings that are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed.
Lockheed Martin is a global security and information technology company. The majority of Lockheed Martin's business is with the U.S. Department of Defense and the U.S. federal government agencies. In fact, Lockheed Martin is the largest provider of IT services, systems integration, and training to the U.S. Government. “We are pleased to join the Security Development Lifecycle (SDL) Pro Network. Lockheed Martin and the SDL Pro Network share similar principles and practices for application security. Our membership with this network of security consultants, training companies, and tool providers that also specialize in application security expands our reach in advancing software assurance awareness, skills, and solutions” says Steve Adegbite, Lockheed Martin’s Director of Cyber Security, and Commercial Strategies.
The SDL Pro Network continues its global expansion by welcoming Verizon Business EMEA providing SDL services throughout Europe. Thierry Zoller, Practice Lead EMEA for Threat and Vulnerability Management says “Verizon EMEA is proud to have joined the Microsoft SDL Pro Network. The Microsoft SDL is a leading SDLC concept backed up by years of real-life, large enterprise experience in the fields of business alignment, cost effectiveness and technical expertise. Verizon is delivering Microsoft SDL and overall SDL consulting across the EMEA region. We offer leading threat and vulnerability consulting expertise, including on-site SDL evangelists, SDL consultancy, SDL pilot programs, secure coding guidelines and developer trainings, that help enterprises develop secure and robust applications.”
Conviso Application Security expands the SDL Pro Network into South America. Conviso is a security consulting company based in Curitiba, Brazil specializing in network and application security services and in application security research. Their values are based on the allocation of the adequate competencies on the field, collaboration and partnership with customers and business partners and constant investments on methodology and research improvement. “It is an honor for Conviso to join this distinct group of companies that comprise the Microsoft SDL Pro Network. We hope to bring to the Latin American market the best practices in SDL by combining our efforts together with experienced and qualified professionals”, says Wagner Elias, CTO at Conviso Application Security.
We also welcome Accuvant Labs to the SDL Pro Network. Accuvant, with offices in Denver, Atlanta, and Chicago is a consulting member providing comprehensive analysis of mission-critical software, ensuring security threats are identified, an effective application security risk management program is put into place and ultimately, all risks are mitigated. “Microsoft has done more to advance secure development than any other company, we are honored to be included in the SDL Pro Network. Accuvant LABS looks forward to enhancing our SDL offerings with the research and tools provided by Microsoft, ensuring that we can continue to deliver the highest quality of service to our customers” says John Bock, Director Application Security at Accuvant LABS.
We encourage you to review each company’s services and consider contacting them or other SDL Pro Network companies to help you with your own organization’s Security Development Lifecycle program.
Jeremy Dallman here with some exciting news to kick off the week!
We are pleased to announce that registration is now LIVE for the inaugural Security Development Conference 2012 (SDC 2012) taking place in Washington D.C. on May 15-16, 2012. REGISTER today and take advantage of early bird pricing!
This event, hosted by Microsoft will bring together professionals from a variety of organizations to learn from security experts, build networks and learn how to evolve their own Security Development Lifecycle (SDL) principles into practices. SDC 2012 will include information for leaders in security engineering, business decision makers, and management who are responsible for accelerating the adoption and effectiveness of SDL practices within their own organizations.
KEYNOTE SPEAKERS
3 TRACKS & 24 SESSIONS
The session tracks for this industry event will target three important roles for any security organization: security engineers, business decision makers, and lifecycle process managers. The sessions in these tracks will include experts representing over 30 organizations from a variety of industries. Visit the event website to see our current list of speakers and regularly check back as new speakers are added. We hope you will visit the website, spread the word and register early to join us at the Security Development Conference on May 15th & 16th!
WHY YOU SHOULD ATTEND
PRICING
Early Bird (February 20 - March 15) $300Discount (March 16 - April 13) $400Standard (April 14 - May 11) $500Onsite Rate (May 12-May 16) $700
SPONSORSHIP OPPORTUNITIES
If your organization or company is interested in being a sponsor for the SDC 2012, we have a few open sponsorship opportunities left at both the Gold and Silver levels. Please contact SDC2012@microsoft.com for more information.
More and more enterprises are realizing the importance of proactive security practices and those involved in critical infrastructure are no exception. One of the most effective ways to drive security improvements in critical infrastructure is through industry consensus. Microsoft has been deeply involved in collaborating with several critical infrastructure sectors to better understand their needs and to help improve their secure software development practices. A critical sector is financial services where Microsoft has had long term collaboration with BITS, a part of the Financial Services Roundtable, made up of major US financial institutions that are responsible for almost 93 trillion in managed assets.
Today, BITS announced the release of their Software Assurance Framework. The purpose of this framework is to document the importance of secure development and to provide guidelines that financial services organizations can use to implement these practices more fully. The framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices. This type of holistic, prescriptive, risk-based approach has been a hallmark of Microsoft’s SDL since inception back in 2004. The BITS Framework goes on to further cite the Forrester Consulting study which details the compelling economic (ROI) reasons to invest in a SDL program.
The framework was also designed to provide guidelines to software suppliers of the financial services industry in writing better, more secure software. BITS recognized the importance of making this an industry-wide effort which is why we are extremely pleased to see it was made available to the public. Microsoft has been a strong advocate for improving secure development practices with free information and tools for many years now. The BITS framework is another great example on the importance of prescriptive security versus descriptive security practices such as checklists.
Of note, this Framework was a collaborative effort that involved several financial services companies in conjunction with Microsoft. The BITS group contains some of the most experienced security people in the financial services industry working together to define clear guidance on the most critical software development best practices for financial services.
We encourage you to take a look at this important document and see how practices from Microsoft’s SDL have helped to make a difference in improving software security within the financial services industry
- Doug Cavit
Steve Lipner here…
Over the past few weeks, Microsoft has been reflecting on the ten year anniversary of the Trustworthy Computing initiative; thinking about the things that have led us to this point in our history and speculating about the future.
Obviously a big part of our work has been the creation and evolution of the Microsoft Security Development Lifecycle (SDL). In our case, security has evolved in large part because of the issues that we faced early on. As referenced in my previous post, the uphill battle we fought in the early years put a negative spotlight on our products and our ability to keep customers safe.
By learning from our weaknesses and from close observation of the evolving threat landscape, we were able to make progress against the challenges by employing an effective approach to developing more secure software. The most prominent and arguably the most important attribute of our evolution lies in our commitment to the SDL – a comprehensive approach for writing more secure code. Under the Microsoft Trustworthy Computing umbrella, the SDL is considered the most battle-tested and effective software security assurance process in the industry.
Clearly Microsoft products are not the only ones being targeted by cybercriminals. Today there is an industry dedicated to finding security vulnerabilities; motivated security researchers are in a race to discover the next big vulnerability in hopes of selling them on the open market. So how does Microsoft work with the industry to help build a safer, more trusted computing ecosystem? One way is by freely sharing our prescriptive guidance around the SDL methodology and tools so that other organizations can build more secure software.
We’ve noticed that IT dependent organizations are no longer satisfied with the latest “Top n list” of security practices; instead they are demanding prescriptive practices like the SDL that make deliberate value judgments on security practices based on real world effectiveness. We’re proud of our efforts here – no other software vendor shares their tools and resources to the extent that we have. We feel strongly that by sharing our best practices and tools, we can help organizations implement a version of the SDL that makes sense for them – regardless of what platform they use.
This insistence on effective security development processes can be found in the recent release of the BITS Software Assurance Framework. For those readers unfamiliar with BITS, it is the technology arm of the Financial Services Roundtable – an organization that includes members from major US financial services organizations. BITS is chartered with finding collaborative solutions to challenges in cybersecurity, fraud reduction and critical infrastructure protection for its member companies. Today, BITS will publicly announce that they have successfully incorporated many of the key elements contained within Microsoft’s SDL into the guidance they provide to their member institutions and their software vendors. Their recommendation of many of our security development practices is gratifying and a strong testament to how far we have come with software development security.
We’re also pleased to see a growing community of individuals and enterprises that are implementing secure development best practices; we feel there should be a venue where those ideas and methodologies can be shared. In an effort to make that venue a reality and sustain the momentum behind secure development processes, we are pleased to announce the first annual Security Development Conference in Washington D.C., May 15th – 16th, 2012.
This event will bring together experts from a variety of industries to Washington, D.C. for a two day conference that centers on the theme “Evolving from Principles to Practices” and will serve as a focal point for education and collaboration for security development professionals. By holding this conference we intend to emphasize the importance of more secure code as the critical first step to protecting against criminal activity. The conference will provide in-depth sessions, panel discussions, and professional networking opportunities that will help organizations develop and accelerate their own security development lifecycle processes.
For more information and registration details, I’d strongly encourage a visit to the conference website at www.securitydevelopmentconference.com