Welcome to Secure Development at Microsoft Blog


Welcome to Secure Development at Microsoft, a blog created for us to share new security tools, services, open source projects and best development practices with you in order to instill a security mindset across the development community as a whole and enable cross collaboration among its members. With this blog, our engineers at Microsoft hope to provide you with the right level of technical depth in order to get you up and running with integrating security assurance into your projects right away.

Looking Back

As we make announcements about new security tools, services, and best practices at Microsoft, let’s take a step back and look at what we’ve released in recent years:

  • Microsoft Threat Modeling Tool – enables non-security subject matter experts to create and analyze threat models by scanning each potential security issue through proven methodology and suggestions for possible mitigations.
  • Code Analysis for C/C++ – comes with the installation of Visual Studio Team Services Development Edition to help detect and correct code defects. It reads source code one function at a time and looks for C/C++ incorrect coding patterns that may indicate a programming error.
  • Binscope Binary Analyzer – analyzes binaries to ensure they have been built in compliance with the SDL requirements and recommendations. It was designed to detect potential vulnerabilities that can be introduced into Binary files.

For a list of older tools and a thorough explanation of the Security Development Lifecycle, check out our official Microsoft SDL Site.

Looking Forward

Surfacing security issues earlier in the development lifecycle has been an important focus for us at Microsoft. To that effort, we’ve worked hard these past few months in getting Roslyn (our open source .NET compiler platform) fully up-to-speed with security requirements. We added relevant checks into the Desktop.Analyzers package, which at the time of this blog post, is close to 4,000 downloads.

As we proceed with releasing tools, policies and best practices for our customers, there are 2 goals for us to keep in mind:

  • Help you write secure code by more easily integrating security into your environment
  • Invite you to become a contributor to our open source security tools and projects

For the latest security tooling announcements, please subscribe to this blog. We’re excited to see what we can accomplish together!

Comments (4)

  1. Bob Wilmes says:

    Can anyone from the Secure Development Lifecycle team please point me to guidance about using the SDLC process templates in the Team Foundation Services Online development environment ? The last process templates I found are for CMMI using TFS 2013.

    1. JBW [MSFT] says:

      Hi Bob – those templates were produced by a sister team to our own, that has since been re-organized into another part of the company. As a result there isn’t a clear “owner” for them. However we get requests for this frequently, both directly from TFS customers, and from our field staff, so we definitely hear the desire for a new set that works with more recent versions of TFS (and/or a similar solution targeting VSTS for some customers). I periodically bring up the topic with the TFS team, but given the increasing requests, I’ll push harder to re-ignite the effort. That’s not me committing MS to the effort, but I’ll definitely try to make it happen. To that end, are you most interested in getting the templates ported to new versions of TFS? Do you have any need of a similar solution for VSTS? Are there particular templates that would be most helpful (anecdotally I hear a pretty even split of requests for the older waterfall templates and the agile templates)?

  2. Could you change your RSS feed to include the full article content?

    Thanks!

    1. rodrigo.js says:

      Absolutely. Done. Thanks!

Skip to main content