I’ve seen a flurry of feedback since I announced the Microsoft SDL template. I’d summarize much of that feedback as “We don’t want a single template that results in secure code development. We use a variety of templates and we want all of our development to be secure.” I couldn’t agree more with that general sentiment and unfortunately the posting of this template and my announcement of it all happed so fast I just didn’t really have time to think about it. There was also a little bit of “the left hand wasn’t paying attention to the right hand.”
As soon as the feedback started coming in, we started talking to the SDL team about this and learning more about what the future holds. I think everyone understands that we don’t just want “one template for secure software development”. As result of these discussions, we’ve been adjusting and accelerating plans. First, the team is working very hard on a whitepaper that will talk about the key elements of the SDL template and provide guidance on how to integrate them into your existing templates. The idea of process template composability, where you can choose practices to combine together into your process, is something the TFS team is interested in down the road and would enable this kind of thing to be easier. I’m hoping this guidance will be available in the next several weeks and I’ll let you know when it is.
Further, the team is looking at creating a version of the MSF Agile template that incorporates many of these concepts for all of the customers who want to do Agile development but are also very interested in the SDL. I’m not sure what the delivery timeframe for this is but it will take a good bit longer.
Ultimately, I view this as a point in time problem. We had to start somewhere and the simplest thing for the team to do was to create a process template where they could experiment with the concepts and tooling. I’m really pleased they’ve taken the initiative to do this and believe it adds something very valuable to the development process knowledge base. As it matures, we’ll be working to make sure it integrates well with the tools and processes you already use.
Updated 5/31 – Here’s a link to the SDL blog on the topic: http://blogs.msdn.com/sdl/archive/2009/05/22/sdl-template-and-agile.aspx
Thanks for the feedback. I like that you all challenge us on things and make us think hard about them.