Internal security tools at Microsoft are set to be shared with developers outside the company. The software development lifecycle (SDL) is mandatory for all dev projects in Microsoft, and has been in place since XP SP2 in 2004. This Techworld article has a succinct explanation of its inception and history.
Now, beginning in November, outside developers may download the SDL Threat Modeling Tool 3.0, which can show developers the specific types of vulnerabilities and larger threats their project faces, whether the dev team is experienced in security or not.
They'll also have access to the Optimization Model, which analyzes where a team lands in terms of secure development practices in comparison with others, and provides steps to improve that position.
Microsoft execs say the SDL produces results; the vendor's share of total reported vulnerabilities has been cut almost in half from the middle of 2007 to the middle of 2008. Part of that shift comes from the built-in security practices, but part of it also comes from the fact that other vendors' products are falling victim to vulnerabilities. And that's why, Microsoft says, it's taking the step to share these security tools with those other vendors. If they're put in place, vendors and users will be rewarded with a "safer Internet," as Microsoft's Steve Lipner describes it. Microsoft would also like it if you thought of this step as a continuation of the Trustworthy Computing initiative.
The third part of this announcement is a pilot program, the SDL Pro Network. For a fee, clients will have access to consulting and training services from nine third-party vendors, based on the SDL. The list of vendors providing services, according to Dark Reading, includes Cigital, IOActive, NGS Software and Verizon Business.
The Register reports that at an MIS Training Institute IT Security World Conference session this week, Mozilla Corporation CSO and former Microsofty Willow Snyder spoke on the improvements that could be realized industrywide if leading vendors like Microsoft and Apple, specifically, shared their expertise on building in security precautions from the beginning of development projects.
See the SDL blog at Microsoft for more.