News

Microsoft To Expand Security Lifecycle Expertise

Microsoft is crossing the aisles to see the security process through from start to finish -- not just internally, but for outside software developers too.

Microsoft is crossing the aisles to see the security process through from start to finish -- not just internally, but for outside software developers too. The company plans to export its Security Development Lifecycle (SDL) process to a greater extent by releasing tools and support to IT pros later this fall, Redmond said this week.

The software giant wants to support developers in building fortified apps, starting at the design and development phase with SDL.

SDL is a "software security assurance process" that has been in place as part of Microsoft's internal architectural policy, going as far back as 2004, explained Steve Lipner, Microsoft's senior director of security engineering strategy for the Trustworthy Computing Group, in a Microsoft-published Q&A.

The SDL methodology, he said, has led to security improvements in flagship products such as Windows Vista and SQL Server. In recent months, hackers have favored attacks on SQL Server solutions via the Internet, although Microsoft has explained the vulnerability as due to insecure Web pages and Web applications.

SDL allows development managers and IT policy-makers to "assess the state of their secure software development practices and to create a vision and road map for reducing customer risk," Lipner explained.

In an effort to broaden its SDL practices, Microsoft is planning a three-pronged rollout, beginning in November.

First, Microsoft plans to make its SDL optimization model (PDF) freely available via a download on MSDN.

Second, if IT pros want to consult security experts, Redmond is forming a "SDL Pro Network," which will be available in November. The network will include trained independent channel partners and Microsoft staff members in the United States and Europe.

Microsoft also generally plans to share its SDL concepts with independent software vendors, partners and customers as a means to achieving security and privacy throughout the "entire computing ecosystem."

Finally, Microsoft plans to release an SDL Threat Modeling Tool 3.0 (PDF) in November. The tool is similar to risk assessment and analysis solutions used to map enterprise IT security.

Microsoft's SDL announcement is part of the company's broader outreach on security. In August at the Black Hat Conference, Microsoft promoted a more collaborative effort on security issues. It also promised for greater transparency during its security patch release cycles.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.