Hello all, Dave here…
I expect that a number of you have seen the announcement and various press articles or Steve Lipner’s Tuesday post about our launch of the SDL Threat Modeling Tool 3.0, the SDL Optimization Model and the SDL Pro Network. Since I was intimately involved with the creation of the SDL Pro Network, I thought I’d write a few words about our objectives and chat a bit about the thinking behind our partner choices for the pilot phase.
So, what are we hoping to gain by creating a network of security consulting and training experts to work with customers who want to implement the SDL? Generally speaking, this question has a two-part answer: First, Microsoft is, and always will be a partner-driven company – we rely on the skills and capabilities of our partners to provide specialized services and broad geographic coverage for Microsoft products and services. Second, even though there are talented folks in the Microsoft Services organization, it’s clear that we will need help from our partners to scale to meet the demand. I can’t tell you how many times the folks on the SDL team have been approached by people – after an executive briefing, or a session at TechEd – asking for guidance in implementing SDL in their own organizations. When we look at the demand and pair it with the geographic diversity of our customer base, it’s clear that a partner approach is the right answer.
Now a few words about the partners who will be participating in the pilot phase…
After the decision was made to work with partners on SDL delivery, we had two primary criteria that we had to address; partner quality, and manageability of the SDL Pro Network pilot. We have all seen instances where individuals or consulting organizations have represented themselves to the IT community as having security expertise when in reality the “experts for hire” were simply reading a page or two ahead of the customer in whatever security tome was “in vogue” at the time.
Based on those observations, it was clear that partner “quality” was a critical criterion. Fortunately for us, we didn’t have to look far to satisfy our quality bar – many of the companies in the SDL Pro Network pilot have direct experience with executing portions of the SDL on our products, or have delivered services to Microsoft in a security context. Design reviews, code reviews, penetration testing, training and other tasks critical to SDL implementation were (and are) common fare for these folks.
Despite the customer demand for SDL that I alluded to above, starting with a small pilot was the right thing to do; a small group of trusted consultancies supports our imperative for quality and it allows us to pragmatically grow the SDL Pro Network as the market matures. As we continue to evolve and innovate with the SDL, we’ll have a strong core of partners to help drive the software security message.
Will we grow the SDL Pro Network? The qualified answer is: “When the market demands it…” – there are a number of talented potential partners who meet the quality bar – and clearly, the need for security in software development will grow to demand additional talented specialists. However, it’s our plan to begin with a small set of partners of known expertise, and then respond to growing demand as it materializes.
So there you have it – the nuanced beginning and bright future of the SDL Pro Network… I invite your comments, and encourage you to check in at the SDL Portal as we continue to build out the program