Microsoft announced on Tuesday that the company plans to release three security programs in November to help companies reduce vulnerabilities in their software products and design more secure products for the future.
Starting in the fall, the company will allow companies to download its Secure Development Lifecycle (SDL) Optimization Model, which allows organizations to gauge the completeness and maturity of their own software development programs as well as identify gaps in their practices, Steve Lipner, senior director of security engineering strategy at Microsoft, said in an interview transcript posted by company online. Microsoft will also kick off a one-year pilot of its SDL Pro Network, which allows consultants to get certified for their knowledge and experience in implementing SDL concepts. Finally, the software giant also plans to release a threat modeling tool based on the Secure Development Lifecycle.
"We wanted to enable organizations outside of Microsoft to create more secure and privacy-enhanced software by implementing the SDL -- a process thats proved successful within Microsoft," Lipner said in the interview. "We felt it was important to provide organizations with a way to self-assess their current software development security practices and create a strategy for improvement."
The three programs are based on lessons learned by Microsoft since the company embarked on the Secure Development Lifecycle as part of its Trustworthy Computing Initiative, kicked off by then-CEO Bill Gates in January 2002. Two years ago, Microsoft started training third-party driver and software partners in the Secure Development Lifecycle in an attempt to reduce crashes. Windows Vista, the company's latest operating system, used the SDL to reduce flaws in the final product.
The SDL Optimization Model and SDL Threat Modeling Tool will both become freely available in November, the software giant said. The SDL Pro Network will have a limited number of participants for the first year.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos