Great blog post by Steven Sinofsky from the Windows division, reminding folks that Windows 8 is going to be built using the Microsoft SDL. From the blog post:
Secure by design
We use the Security Development Lifecycle (SDL) to build Windows with the best security design, development and testing practices available. Some highlights include:
- Threat modeling and security design reviews. During the design process we consider how criminals might seek to attack features and scenarios, and incorporate this analysis into our designs.
- Writing secure code. Training and code quality tools help to prevent common coding issues from entering the Windows source code.
- Penetration testing. Security engineers take an attacker’s perspective when reviewing a completed set of features that make up a scenario.
- Security code reviews. Security engineers provide additional security-oriented code reviews for highly sensitive components.
- Security tools. Tools continuously updated with the latest state of the art in finding and exploiting software provide a scalable solution to improve existing code.