Hi everyone! Jeremy Dallman here. I would like to announce a new and easier way to integrate the SDL into your development lifecycle.
In the year since we released the Microsoft SDL Process Guidance documentation, companies interested in adopting the SDL have often asked us “where do I start”? In the past year, we’ve provided the SDL Optimization Model, The SDL Threat Modeling Tool, and the SDL Pro Network as great options to get you started. Quite often, the follow-up comment has been “I just need a way to practically apply the SDL in my development lifecycle… can’t you just put it into Visual Studio?” In order to successfully integrate security into their development process, the people who own a security initiative realize that they need to introduce secure development practices and the SDL with minimal impact on their existing development frameworks and as part of the familiar environment.
Today we are making available the Microsoft SDL Process Template.
The SDL Process Template is a free downloadable template for Visual Studio Team System that integrates the SDL directly into a customer’s software development environment. Because it integrates with the team and process features of Team System, you do need a Team Foundation Server to manage your work. This is our first comprehensive offering that addresses all phases of the SDL from Requirements through Release.
By taking advantage of the rich functionality in Visual Studio Team System and Team Foundation Server, we are now able to offer an SDL solution that reduces the barrier to entry for SDL adoption, provides auditing for satisfying the security requirements, and demonstrates security return on investment. The SDL Template is intended to provide the foundational components of the SDL for every phase of your development project.
How to check it out for yourself
We hope you will take the time to download the SDL Process Template and consider using it to integrate security and the SDL into your team project. If you do not currently use Visual Studio Team System, but would like to evaluate the SDL Process Template, evaluation versions in both VPC and Hyper-V environments are available for download. You can simply upload the SDL Process Template into that virtual environment and check it out for yourself.
A quick walk-through
Here is a quick preview of the basic functionality the SDL Process Template offers:
Process Guidance: Integrated SDL Overview, SDL documents, and How to customize
After installation completes and a new Team Project is created, the first page that appears is the Process Guidance page. This page provides everyone on the project with:
- A brief overview of the SDL
- Five steps for Getting Started on an SDL project
- Details on customizing the template and extending it for third party security tools
Below: The SDL Process Guidance “front page”
SharePoint: SDL Document Library and Project dashboard
Since SharePoint is included with Visual Studio Team System, The basic SharePoint site provides a single location for all project participants to get a common view of project status, related announcements and dates, and access the large document library.
Below: the SharePoint site serves as a project dashboard
SDL Requirements: Pre-loaded SDL work items ready to triage
By selecting the “All SDL Tasks” query the team can find the pre-populated list of all SDL Requirements and Recommendations. No more trying to figure out where to start when it comes to defining security requirements! The SDL Template also provides a custom work item that allows you to create and add your own unique requirements or recommendations.
Below: all SDL Requirements and Recommendations pre-loaded and ready to triage
SDL Check-in Policies: Enforce SDL policy with existing VS features
Developers care about security, but they want it to be intuitive. We have provided check-in policies that will ensure every set of code is taking advantage of the SDL required compiler/linker flags and Code Analysis features already in Visual Studio. This will eliminate entire classes of security weaknesses from your code. A Security Code Review work item is also included to support enforcement of security code reviews for security-sensitive code.
Below: Setting Check-in policies
Below: Check-in policies in action
Customized Security bugs: Tag and track Cause, Severity, and STRIDE Effect
Testers want to be able to emphasize the importance of a security bug and properly communicate the impact to their product. The default “bug” work item now has customized security fields so you can identify security cause, severity, and security effect (using STRIDE), and mark a bug as Blocking or Not Blocking. This feature allows you to track and search for security-specific bugs.
Below: Identifying a bug as a security issue
Final Security Review: Track and audit the state of all active security bugs, completion of SDL tasks, and effectiveness of security tools
The entire team and especially senior management want an easy-to-read document that summarizes the security work completed. The Final Security Review Report and Security Bugs Report provide an auditable set of evidence that details security work completed as well as deferred tasks.
- Page One: status of all bugs marked as Security Bugs
- Page Two: completion status for the SDL Requirements and Recommendations
- Page Three: security bugs found by all tools integrated with the template
Below: Page 1 of the Final Security Review
Below: Page 2 of the Final Security Review
Threat modeling: Seamless integration with the SDL Threat Modeling Tool
Threat modeling is a critical part of your early design process. It informs architects of the attack surface, provides insight for the developers to write more secure code, and enables testers to more effectively build test cases to verify mitigations. The SDL Process Template includes a script that will convert SDL Threat Modeling tool issues into security bugs and hook into the reporting piece of the template.
We hope you will take a look at the SDL Process Template and consider using it to ease adoption of the SDL in your development teams. As we move forward with more SDL offerings, our plan is to integrate any tools and guidance into the SDL Process Template – making it a dynamic foundation for an end-to-end SDL solution.
We look forward to your feedback as you download and begin using the SDL Process Template to make your code more secure.