Product Watch: Microsoft Rolls Out Free SDL Code For 'Agile' Development

Beta version of Agile SDL template now available, as well as new simplified implementation of SDL and expanded partner program that includes tools from Fortify, Veracode, Codenomicon

WASHINGTON, DC -- Black Hat DC -- Microsoft here today released a software tool for developers using the Agile development model to deploy its Security Development Lifecycle (SDL) processes and tools for writing cleaner and less buggy code.

Along with the new MSF Agile + SDL Template for Visual Studio Team System, Microsoft also rolled out a new white paper that provides a simplified guide to SDL, and extended its SDL Pro Network with new consulting firm members and a new category of partners, tool providers -- including Fortify, Veracode, and Codenomicon.

Microsoft in November released the SDL for Agile Development Version 4.1a, a model for Agile developers to integrate SDL into their development processes. The software giant basically modified SDL to meet Agile requirements, including guidelines that explain the frequency of threat modeling, static analysis, upgrading compilers, and fuzzing.

Today's announcement is the next step: "This is the code manifestation of SDL based on Agile processes," says David Ladd, principal security program manager for Microsoft.

MSF Agile + SDL Process Template is a beta version and available now; it will be updated to a final release form at the end of the second quarter. The tool blends SDL-Agile secure coding processes directly into Visual Studio IDE. "If you add new code, it will add new SDL requirements based on what you did. It works in the background," Ladd says.

The tool also integrates with other SDL tools that Microsoft has released publicly, including the SDL Threat Modeling Tool, Binscope Binary Analyzer, and Minifuzz File Fuzzer.

The new Simplified Implementation of the Microsoft SDL paper explains how organizations can deploy secure development practices with limited resources and apply it to non-Microsoft software platforms. Microsoft's Ladd says it dispels misconceptions that SDL is only for Windows and requires only Microsoft tools. More than 50,000 developers have downloaded its free SDL tools, and 80,000 have downloaded its SDL guides, he says.

Christien Rioux, chief scientist at Veracode, says the new tool-vendor members of the SDL Pro Network represent various stages and levels of testing code for vulnerabilities and problems.

New members of the SDL Pro Network -- organizations that offer their services to help firms adopt SDL -- include Booz-Allen Hamilton, Casaba Security, Consult2Comply, and Safelight Security Advisors.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights