Microsoft Tool for Secure Development Will it work?
Microsoft recently developed a Security Development Lifecycle (SDL) tool responsible for assisting programmers to integrate the knowledge amassed through SDL into their software development environment. SDL is the corporation's patented process that ensures your applications are as secure and error-free as possible. SDL is a very important part of all the software and operating systems developed by the company since 2004.
Microsoft previously released the recommendations and specifications of SDL in the form of written documentation in order to let non-Microsoft developers make use of their process. However, being able to adapt a development process to accommodate SDL proved painstaking and arduous. Therefore, the company has opted to release an SDL Process Template tool for the Visual Studio Team System that maps SDL 4.1 in its totality.
Microsoft allowing developers to easily perform secure development
According to a report that Glenn Pittaway (the Group Program Manager for the SDL team) submitted to Heise Security, the source code must be present in Visual Studio in order for the template to be of any use. Regardless, he acknowledges that Microsoft has done everything in its power to make the tool as simple as possible for Visual Studio Team System developers to adopt SDL. Even programmers lacking certain security skills should, says Pittaway, be able to write secure code using the process.
Pittaway wasn't able to disclose whether Microsoft should be offering templates for other software development environments, stating instead that he and his cohorts were waiting for comments and suggestions from the developer community and might provide versions that weren't exclusive to Visual Studio if there were a demand for them. He noticed that Microsoft's SDL 4.1 has fervently focused on online applications. However, web services and local applications that are continuously or regularly connected online compel a whole new set of security requirements. Consequently, the SDL development team has placed a strong emphasis on that particular area of improvement.
Developers that want to center their own programming process on SDL can adapt its long list of specs and recommendations to their own requirements and steer clear of the process steps that are irrelevant to their projects. The template allows each job (such as fixing an error in the source code) to be assigned to a specific person or team. Also, SDL makes it easy to keep track of the progress of any undertaking. With SDL's help, generating reports and statistics that can be used to examine the performance of external bug-detecting applications is a relative breeze.