Microsoft offering security assistance to developers
- — 20 May, 2009 08:12
Offering assistance with application security, Microsoft is extending on Tuesday its Security Development Lifecycle processes to its Visual Studio Team System for application lifecycle management.
The company will offer Version 1.0 of it its Security Development Lifecycle Process Template for Visual Studio Team System, free of charge on MSDN. Originally developed for internal use at Microsoft in 2004, SDL features a software security assurance process. SDL was the basis of several deliverables last year.
With Tuesday's announcement, SDL requirements can be installed as work items and check-in policies.
"What this does is as people are going through their development projects, you can set certain work items, flags, and policies [that] you have" to meet the requirements of SDL, said David Ladd, principal security program manager at Microsoft.
SDL could be used to fight something like cross-site scripting attacks in Web pages, for example, by forcing developers to think about security in the development process, Ladd said. Developers are prompted during the development lifecycle to use tools like dynamic testing tools or perform runtime verification.
Microsoft had used SDL to harden its OS and stamp out bugs. Lately, though, applications have become a focal point for attackers, and SDL can be applied to application development processes, company representatives said. "OSes are really no longer easy territory for hackers, and as a result, the percentage of attacks against OSes has dropped sharply," Ladd said.
"The application space is where the new frontier is for hackers," he said.
Microsoft also is releasing Version 4.1 of its SDL process documentation, which offers SDL processes for online services and line-of-business applications. New requirements threat remedies are detailed. The documentation can be applied to development of non-Windows applications.
"We're essentially trying to share the SDL processes, training, [and] tools with the development ecosystem," Ladd said.
In another Microsoft-related development being announced Tuesday, Black Duck Software said it has entered into an agreement with Microsoft in which projects from the Microsoft CodePlex open source project hosting site will be fed automatically into the Black Duck open source KnowledgeBase repository. Projects will be searchable via the Black Duck Koders.com search engine for open source and other downloadable code.
The arrangement assures ongoing coverage of CodePlex projects in the Black Duck KnowledgeBase, which is used for detecting and managing open source components in software projects, Black Duck said.
Black Duck KnowledgeBase features a repository of more than 200,000 open source projects collected from more than 4,100 Internet sites.