At Tech-Ed EMEA 2008 we introduced new programs and tools modeled after the our internal Security Development Lifecycle (SDL) process that enables software developers to create more secure and privacy-enhanced applications.
Three elements were introduced to SDL:
- SDL Optimization Model. Free model for facilitating gradual, consistent and cost-effective implementation of the SDL
- SDL Pro Network. Network of professionals who can help guide and support software developers in implementing SDL in their environments
- Microsoft SDL Threat Modeling Tool. Guidance in drawing threat diagrams, guided analysis of threats and mitigations, integration with bug tracking systems and reporting capabilities
SDL is a methodology for developing and programming that Microsoft created in-house and refined over the lifecycle of several major product releases and over a multi-year period. It's a series of best practices for developers and designers to evaluate and consider security issues from the moment they design a product, instead of tacking on security as an afterthought, or not doing it at all.
The result has been to make Microsoft products more secure. Although the process is not perfect given its complexity, the number of critical bugs has dropped in half for major product releases.