Risk
2/3/2010
04:37 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Microsoft Enhances SDL Offerings

The world's largest software company aims to help third-party developers write code that's more secure.

At the Black Hat security conference in Washington, D.C., on Tuesday, Microsoft introduced new software, a new membership program, and guidance to enhance its Secure Development Lifecycle (SDL) development methodology.

The software is the first public beta of MSF for Agile Software Development plus SDL Process Template for VSTS 2008, MSF-A+SDL for short, a template that helps development teams integrate SDL processes into their Visual Studio Team System development environment.

It is based on Microsoft's SDL-Agile processes, which aim to provide structure for development projects that happen on a more accelerated time line than the typical SDL project.

A version of the template for Visual Studio 2010 will be available shortly after Visual Studio 2010 is released in April.

Microsoft is also expanding its SDL Pro Network to include a new membership category called Tools. Organizations that join as Tools members provide services related to the deployment of security tools, like static analyzers, fuzzers, or binary analyzers.

The company announced seven new SDL Pro Network members: Fortify, Veracode, and Codenomicon in the Tools category; Booz-Allen Hamilton, Casaba Security, and Consult2Comply in the Consulting Member category; and Safelight Security Advisors in the Training Member category.

Finally, Microsoft released a white paper titled Simplified Implementation of the Microsoft SDL. In so doing, it hopes to convey that organizations don't have to be as large as Microsoft, and don't have to be using Microsoft development tools, to benefit from the company's secure development practices.

Microsoft's interest in helping third-party developers improve their code reflects the company's finding that during the first six months of 2009, 81% of reported vulnerabilities were in non-browser applications, 5% were in Microsoft products, and the remaining flaws were in Web browsers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3966
Published: 2015-08-30
The IPsec SA establishment process on Innominate mGuard devices with firmware 8.x before 8.1.7 allows remote authenticated users to cause a denial of service (VPN service restart) by leveraging a peer relationship to send a crafted configuration with compression.

CVE-2015-4555
Published: 2015-08-30
Buffer overflow in the HTTP administrative interface in TIBCO Rendezvous before 8.4.4, Rendezvous Network Server before 1.1.1, Substation ES before 2.9.0, and Messaging Appliance before 8.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vect...

CVE-2015-5698
Published: 2015-08-30
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2015-4497
Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

CVE-2015-4498
Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.