Offering assistance with application security, Microsoft is extending its Security Development Lifecycle processes to its Visual Studio Team System for application life-cycle management.
The company will offer Version 1.0 of it its Security Development Lifecycle Process Template for Visual Studio Team System, free of charge on MSDN. Originally developed for internal use at Microsoft in 2004, SDL features a software security assurance process. SDL was the basis of several deliverables last year.
With Tuesday's announcement, SDL requirements can be installed as work items and check-in policies.
David Ladd, principal security program manager at Microsoft, said that with SDL, developers can set certain work items, flags and policies that they have to meet.
SDL could be used to fight something like cross-site scripting attacks in Web pages, for example, by forcing developers to think about security in the development process, Ladd said. Developers are prompted during the development life cycle to use tools like dynamic testing tools or perform runtime verification.
Microsoft had used SDL to harden its operating system and stamp out bugs. Lately, though, applications have become a focal point for attackers, and SDL can be applied to application development processes, company representatives said. “OSes are really no longer easy territory for hackers, and as a result, the percentage of attacks against OSes has dropped sharply,” Ladd said.
“The application space is where the new frontier is for hackers,” he said.
Microsoft is also releasing Version 4.1 of its SDL process documentation, which offers SDL processes for online services and line-of-business applications. New requirements threat remedies are detailed. The documentation can be applied to development of non-Windows applications.
“We're essentially trying to share the SDL processes, training [and] tools with the development ecosystem,” Ladd said.
In another Microsoft-related development being announced, Black Duck Software said it has entered into an agreement with Microsoft in which projects from the Microsoft CodePlex open source project hosting site will be fed automatically into the Black Duck open source KnowledgeBase repository. Projects will be searchable via the Black Duck Koders.com search engine for open source and other downloadable code.
The arrangement assures ongoing coverage of CodePlex projects in the Black Duck KnowledgeBase, which is used for detecting and managing open-source components in software projects, Black Duck said.
Black Duck KnowledgeBase features a repository of more than 200,000 open-source projects collected from more than 4,100 Internet sites.
