The Security Development Lifecycle : SDL Pro Network

New SDL Pro Network Members: SANS and SAIC

sdl — Thu, 21 May 2009 18:50:00 GMT

When I joined the SDL team last fall, the SDL Pro Network had launched as a one-year pilot program. Upon returning from maternity leave, I took over management of the SDL Pro Network. I have been working on formalizing the program in order to bring it from pilot phase into a full blown partner program, to launch after November 2009. I have also been working on bringing new consulting services and training members into the fold, even during this pilot phase of the program.

On May 19, the SANS Institute, one of the most trusted and largest sources for information security training, certification & research in the world, and SAIC, a company of over 45,000 employees worldwide with expertise in national security, energy and the environment, critical infrastructure and health, were also added to the SDL Pro Network in an effort to further broaden the SDL’s reach.

In joining forces with these two new SDL Pro Network members, Microsoft’s SDL team is bringing more options for world-renowned security training and consulting services to new developers around the world.

Please join me in welcoming SANS and SAIC into the SDL Pro Network.

-Katie Moussouris, Senior Security Strategist, SDL

Gary McGraw's Reality Check Security Podcast

sdl — Thu, 15 Jan 2009 21:54:00 GMT

Hello, Michael here,

Gary McGraw, CTO at Cigital, recently interviewed Steve Lipner as Gary kicked off his "Reality Check Security Podcast" series. I think podcasts like this are important because they help learn from others' experiences.

For those that don't know Gary, he's been involved in software security for years, and has written plenty of excellent books on the subject. He also plays a mean fiddle.

Finally, Cigital is a member of the Microsoft SDL Pro Network.

About the SDL Pro Network

sdl — Fri, 19 Sep 2008 06:12:00 GMT

Hello all, Dave here...

I expect that a number of you have seen the announcement and various press articles or Steve Lipner's Tuesday post about our launch of the SDL Threat Modeling Tool 3.0, the SDL Optimization Model and the SDL Pro Network. Since I was intimately involved with the creation of the SDL Pro Network, I thought I'd write a few words about our objectives and chat a bit about the thinking behind our partner choices for the pilot phase.

So, what are we hoping to gain by creating a network of security consulting and training experts to work with customers who want to implement the SDL? Generally speaking, this question has a two-part answer: First, Microsoft is, and always will be a partner-driven company - we rely on the skills and capabilities of our partners to provide specialized services and broad geographic coverage for Microsoft products and services. Second, even though there are talented folks in the Microsoft Services organization, it's clear that we will need help from our partners to scale to meet the demand. I can't tell you how many times the folks on the SDL team have been approached by people - after an executive briefing, or a session at TechEd - asking for guidance in implementing SDL in their own organizations. When we look at the demand and pair it with the geographic diversity of our customer base, it's clear that a partner approach is the right answer.

Now a few words about the partners who will be participating in the pilot phase...

After the decision was made to work with partners on SDL delivery, we had two primary criteria that we had to address; partner quality, and manageability of the SDL Pro Network pilot. We have all seen instances where individuals or consulting organizations have represented themselves to the IT community as having security expertise when in reality the "experts for hire" were simply reading a page or two ahead of the customer in whatever security tome was "in vogue" at the time.

Based on those observations, it was clear that partner "quality" was a critical criterion. Fortunately for us, we didn't have to look far to satisfy our quality bar - many of the companies in the SDL Pro Network pilot have direct experience with executing portions of the SDL on our products, or have delivered services to Microsoft in a security context. Design reviews, code reviews, penetration testing, training and other tasks critical to SDL implementation were (and are) common fare for these folks.

Despite the customer demand for SDL that I alluded to above, starting with a small pilot was the right thing to do; a small group of trusted consultancies supports our imperative for quality and it allows us to pragmatically grow the SDL Pro Network as the market matures. As we continue to evolve and innovate with the SDL, we'll have a strong core of partners to help drive the software security message.

Will we grow the SDL Pro Network? The qualified answer is: "When the market demands it..." - there are a number of talented potential partners who meet the quality bar - and clearly, the need for security in software development will grow to demand additional talented specialists. However, it's our plan to begin with a small set of partners of known expertise, and then respond to growing demand as it materializes.

So there you have it - the nuanced beginning and bright future of the SDL Pro Network... I invite your comments, and encourage you to check in at the SDL Portal as we continue to build out the program