SAFECode on Confidence: One Size Does Not Fit All

In a recent post by SAFECode, a non-profit organization of software vendors dedicated to increasing trust in information and communications technology products by improving security and assurance methods, Eric Baize of EMC and Steve Lipner of Microsoft discuss the challenging subject of trustworthiness of acquired software.  How a customer gains confidence in acquired software is a frequently asked question of developers.  The latest SAFECode blog discusses three approaches that a … Read more »

Introducing Microsoft Threat Modeling Tool 2014

2626_1

Today, we are excited to announce the general availability of a new version of a very popular Security Development Lifecycle tool – Microsoft Threat Modeling Tool 2014. It’s available as a free download from Microsoft Download Center here. Threat modeling is an invaluable part of the Security Development Lifecycle (SDL) process. We have discussed in the past how applying a structured approach to threat scenarios during the design phase of development helps teams more … Read more »

SDL Process Templates for Visual Studio Team Foundation Server 2013

7522_6

Today, we are excited to announce the general availability of a new version SDL process templates: Microsoft Solutions Framework (MSF) for Agile 2013 plus Security Development Lifecycle (SDL)  Microsoft Solutions Framework (MSF) for Capability Maturity Model Integration (CMMI) 2013 plus Security Development Lifecycle (SDL)   This version of the SDL Process Templates is specific to the Microsoft Security Development Lifecycle version 5.2.  The SDL Process Templates automatically integrate policy, process and tools associated … Read more »

Life in the digital crosshairs: the untold story

3568_sdl_2d00_10yr_2d00_twitter_2d00_440x220_2d00_1

To mark the 10 year anniversary since the creation of the Security Development Lifecycle, we wanted to tell the behind-the-scenes story of how the SDL came to be.  Back in 2004, Microsoft decided that if we were going to succeed at building trust with our customers, security could not be an afterthought when developing our products and services. So how do you get a large organization like Microsoft to prioritize security … Read more »

Secure Development Is Much Easier Than You Think

Secure software development is something we believe is absolutely critical to helping create safer more trusted computing experiences for everyone.  So much so that we invest in providing free tools, resources and guidance to help assist organizations in adopting an SDL process and are actively involved in helping to evangelize these resources to the security community. However while these resources have existed since 2008, our Trust in Computing study showed … Read more »

!Exploitable crash analyzer version 1.6

On Wednesday May 1st, !Exploitable crash analyzer version 1.6 became available.  Source code and binaries can be found at https://msecdbg.codeplex.com/. For those who may be unfamiliar with the tool, !Exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. Its primary use is in evaluating crashes found by fuzzing. The first new feature involves changes to the stack hashing portion of … Read more »

Microsoft SDL Conforms to ISO/IEC 27034-1:2011

Steve Lipner here. This morning Scott Charney announced in his keynote at the Security Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows: Microsoft has used a risk based approach to guide software security investments through a program of continuous improvement and processes since the Security Development Lifecycle (SDL) became a company-wide … Read more »

The time is now. Security Development Must be a Priority for Everyone

Today marks the first day of the Security Development Conference 2013.  Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle … Read more »