Announcements at Black Hat DC demonstrate software assurance commitment and leadership Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify and Veracode.This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider I think it is important for several reasons:1. It is easy to blame Microsoft for security problems but these accusations are often based on history not present reality. The fact is that all of Microsoft’s products go through SDL and Microsoft is promoting SDL on its own dime. Yes, other software vendors have their own software assurance processes and tools, but no other vendor is as open about its own SDL or working as hard to stress the importance of secure software development.2. SDL is growing on all fronts. The model itself, adaptation to different development models, integration with development and testing tools, and more and more professional services firm. Again, Microsoft isn’t making money on SDL but it continues to invest here.3. If you don’t know SDL, you will soon. Whether it is Microsoft’s SDL or another similar model, secure code development will become a standard in the near future. Why? As the Federal Government embraces cyber supply chain assurance, you won’t be able to sell ANY technology products to the government unless you adhere to an SDL model. The same will hold true in other critical infrastructure industries like financial services, telecommunications, utilities, etc. I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit SAFECode.org, an organization focused on Software Assurance. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe