Microsoft expands security lifecycle expertise

Microsoft is crossing the aisles to see the security process
through from start to finish -- not just internally, but for
outside software developers too. The company plans to export its
Security Development Lifecycle (SDL)
process to a greater extent by releasing tools and support to IT
pros later this fall, Redmond said this week.

The software giant wants to support developers in building
fortified apps, starting at the design and development phase with

SDL is a "software security assurance process" that has been in
place as part of Microsoft's internal architectural policy, going
as far back as 2004, explained Steve Lipner, Microsoft's senior
director of security engineering strategy for the Trustworthy
Computing Group, in a Microsoft-published Q&A.

The SDL methodology, he said, has led to security improvements
in flagship products such as Windows Vista and SQL Server. In
recent months, hackers have favored attacks on SQL Server solutions
via the Internet, although Microsoft has explained the
vulnerability as due to insecure Web pages and Web

SDL allows development managers and IT policy-makers to "assess
the state of their secure software development practices and to
create a vision and road map for reducing customer risk," Lipner

In an effort to broaden its SDL practices, Microsoft is planning
a three-pronged rollout, beginning in November.

First, Microsoft plans to make its SDL optimization model (PDF) freely available via a
download on MSDN.

Second, if IT pros want to consult security experts, Redmond is
forming a "SDL Pro Network," which will be available in November.
The network will include trained independent channel partners and
Microsoft staff members in the United States and Europe.

Microsoft also generally plans to share its SDL concepts with
independent software vendors, partners and customers as a means to
achieving security and privacy throughout the "entire computing

Finally, Microsoft plans to release an SDL Threat Modeling Tool 3.0 (PDF) in
November. The tool is similar to risk assessment and analysis
solutions used to map enterprise IT security.

Microsoft's SDL announcement is part of the company's broader
outreach on security. In August at the Black Hat Conference, Microsoft promoted a more
collaborative effort on security issues. It also promised for
greater transparency during its security patch release cycles.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected