informa
/
Risk
News

Product Watch: Microsoft Rolls Out Free SDL Code For 'Agile' Development

Beta version of Agile SDL template now available, as well as new simplified implementation of SDL and expanded partner program that includes tools from Fortify, Veracode, Codenomicon
WASHINGTON, DC -- Black Hat DC -- Microsoft here today released a software tool for developers using the Agile development model to deploy its Security Development Lifecycle (SDL) processes and tools for writing cleaner and less buggy code.

Along with the new MSF Agile + SDL Template for Visual Studio Team System, Microsoft also rolled out a new white paper that provides a simplified guide to SDL, and extended its SDL Pro Network with new consulting firm members and a new category of partners, tool providers -- including Fortify, Veracode, and Codenomicon.

Microsoft in November released the SDL for Agile Development Version 4.1a, a model for Agile developers to integrate SDL into their development processes. The software giant basically modified SDL to meet Agile requirements, including guidelines that explain the frequency of threat modeling, static analysis, upgrading compilers, and fuzzing.

Today's announcement is the next step: "This is the code manifestation of SDL based on Agile processes," says David Ladd, principal security program manager for Microsoft.

MSF Agile + SDL Process Template is a beta version and available now; it will be updated to a final release form at the end of the second quarter. The tool blends SDL-Agile secure coding processes directly into Visual Studio IDE. "If you add new code, it will add new SDL requirements based on what you did. It works in the background," Ladd says.

The tool also integrates with other SDL tools that Microsoft has released publicly, including the SDL Threat Modeling Tool, Binscope Binary Analyzer, and Minifuzz File Fuzzer.

The new Simplified Implementation of the Microsoft SDL paper explains how organizations can deploy secure development practices with limited resources and apply it to non-Microsoft software platforms. Microsoft's Ladd says it dispels misconceptions that SDL is only for Windows and requires only Microsoft tools. More than 50,000 developers have downloaded its free SDL tools, and 80,000 have downloaded its SDL guides, he says.

Christien Rioux, chief scientist at Veracode, says the new tool-vendor members of the SDL Pro Network represent various stages and levels of testing code for vulnerabilities and problems.

New members of the SDL Pro Network -- organizations that offer their services to help firms adopt SDL -- include Booz-Allen Hamilton, Casaba Security, Consult2Comply, and Safelight Security Advisors.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5