Sometimes I see or read about really cool things from Microsoft.. development tools and resources that really make me wish I were still a Software Engineer. I’ve always loved the creativity and problem solving that software development affords. Example: the new tools coming in Visual Studio 2005 still make me salivate, quite frankly.
I remember when I was a developer seeing good documentation coming from Microsoft and others, and getting really excited. I was especially pleased whenever Microsoft would release some white-paper about how THEY were doing development (the way I do now when I look at how Microsoft does IT, too.)
What made me think of that was a letter I found in my inbox this morning. Michael Howard sent a letter to the NTBugtraq e-mail listserver membership which was published earlier today. In it he describes a new Microsoft “Security Development Lifecycle” paper.
“The SDL is the process that Microsoft has implemented for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft’s software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused “security push”. Before software developed under the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software.”
So this is the sort of thing that, as a former developer, gets me excited on behalf of developers everywhere! You can compare your company’s secure development process to the way Microsoft does it, and borrow from our best practices. (Does the phrase, “Don’t reinvent the wheel” mean anything to you?)
And I encourage all of my counterparts on the MSDN team to blog about this paper, too.