• United States



Contributing Writer

Microsoft SDL Progresses

Feb 03, 20103 mins
Cisco SystemsData and Information SecurityMicrosoft

Announcements at Black Hat DC demonstrate software assurance commitment and leadership

Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify and Veracode.This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider I think it is important for several reasons:1. It is easy to blame Microsoft for security problems but these accusations are often based on history not present reality. The fact is that all of Microsoft’s products go through SDL and Microsoft is promoting SDL on its own dime. Yes, other software vendors have their own software assurance processes and tools, but no other vendor is as open about its own SDL or working as hard to stress the importance of secure software development.2. SDL is growing on all fronts. The model itself, adaptation to different development models, integration with development and testing tools, and more and more professional services firm. Again, Microsoft isn’t making money on SDL but it continues to invest here.3. If you don’t know SDL, you will soon. Whether it is Microsoft’s SDL or another similar model, secure code development will become a standard in the near future. Why? As the Federal Government embraces cyber supply chain assurance, you won’t be able to sell ANY technology products to the government unless you adhere to an SDL model. The same will hold true in other critical infrastructure industries like financial services, telecommunications, utilities, etc. I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit, an organization focused on Software Assurance.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author