YOUR INPUT PLEASE: Digital Black Belt – Developing an Intentionally Secure Lifecycle.

So…  My next Digital Black Belt topic is developing an Intentionally Secure Software Development Lifecycle.


I’m struggling! Almost all the time as a Developer Evangelist at Microsoft, the core content for the sessions that we present “comes in a can”.


To be honest, when “the can” is one of the product teams readying the message around a new product, then the raw materials” are pretty good, but otherwise…..  Well, often, not so good.


So, for the digital Black Belt Series I wanted to “own” the content. While this is turning out to be A LOT of work, it’s still absolutely the right thing to do. And let me tell you, it’s no small feat here at Microsoft. With millions of customers, a rabid technical tabloid press, who wan to throw stones at whatever you do (good or bad) just to sell their rag (or digital equivalent) and competitors who can’t seem to compete at a technical level and so must band together in the spirit of community like Slashdot (the Dilbert of Developers on line) – Microsoft has learned to be carefully about how we craft communications – ESPECIALLY when the delivery comes via an irreverent opinionated rogue like me.


So, a lot of good people had to get behind this project from a risk, fund, and endorsement perspective. The review process is grueling. There is a legal review, a public relations review, a security mobilization team review, and then a very valued (ad hoc) critique review from other subject matter experts like Micheal Howard and Rick Samona.


This takes a number of weeks.


So after I submit the powerpoint deck, which for this series is as much intended to be a reference as anything else – I work on the THREE I’s – Information, Insight, and Impact.


Well, I’m a bit stuck on the “Lifecycle” talk.


First because it seems that most developers look at lifecycle issues and methodologies as boring “oh yea”, I know, there’s gotta be a process. Secondly, because from a “steps in the process” perspective there’s little I can say that most developers don’t already know.


So certainly I have to review the steps in the process for the sake of completeness’ sake, but after that – how do I add value to YOU !


Well, in my research over the last couple of weeks I’ve found my way to a number of GREAT tools.


Tools that solve REAL problems. Not just technical problems, but process, educational, and humanistic problems.


I’m gonna show a few of them to you in the next DBB session.


So here is my “ask” of you ?


Relative to the subject at hand, “Developing a Secure Development Lifecycle Process” what will be useful to YOU !


I can be your personal research analyst. Interested in a tool, method, etc. I’ll get it, talk to the experts, and then recount for you in the session.


Let me know.


In the mean time I’ve got a few cool tools to show you on Friday.


  • A Rockin’ Requirements Management / Authoring / Reporting Tool.
  • A REAL Prototyping Tool that actually adds value and lets you concentrate on the Prototype, rather than what management will make you do with it later.
  • A FREE threat Modeling tool !!!!
  • An AMAZING application that not only FINDS security holes in your application, but TRAINS you on the attack specifics and gives you DETAILED .NET fix suggestions.
  • And More ….. If I have time !


Please post or email me your thought.


I know it sounds hokey to say – but bringing value to YOU developers is what I do for a living !!!!


Many Thanks,



Comments (2)

  1. Joe:

    Sounds like a great idea. I am looking forward to Friday’s "tool-oriented" content. Can we get short, to-the-point real-life examples with it? Maybe something happened that you’ve heard about from customers or read somewhere, that could have been prevented by using the processes and tools you will discuss?



  2. Brian Nantz says:


    I think this is a great idea. I think MS should offer some kind of a title that could be added to a resume to say that "I have completed the Black Belt Security webcast training." That would be something that I would add to my consulting resume. But only getting something if I am the first 300 viewers is too much of a gamble for me. I will proabably watch the videos anyway but it would be nice to inform customers of the training.

    My 2 cents,


Skip to main content