SDL Announcements at TechEd EMEA

Hello all, Dave here…



I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference.



In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of the SDL Optimization Model, SDL Pro Network and the Microsoft SDL Threat Modeling Tool Beta!   For those of you who are unaware of these initiatives here’s a description of each…



SDL Optimization Model: The SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security in development and create a vision and road map for reducing customer risk.


Specific objectives of the model include the following:



·         Enable organizations outside of Microsoft to create more secure and privacy-enhanced software by successfully implementing the SDL


·         Allow organizations to self-assess current software development security practices and create a strategy for gradual improvement


·         Provide SDL Pro Network service providers with a consistent and effective framework for providing SDL services



SDL Pro Network: The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. SDL Pro Network service providers will guide and support organizations in implementing the SDL into their environments.



The primary focus area for all members, both now and in the future, will be to deliver on the program’s commitment to make the SDL available outside Microsoft, specifically focusing on these issues:



·         Protecting the customer – Helping customers adopt the SDL or general secure coding practices.


·         Improving the SDL – Leveraging member knowledge to understand how the SDL is used by customers, what needs to be modified and what customer needs must be met in the future.



SDL Threat Modeling Tool Beta: The Microsoft SDL Threat Modeling Tool Beta allows for structured analysis, proactive mitigation and tracking of potential security and privacy issues in new and existing applications.  Microsoft developed the tool and we use it internally on many of our products. This tool offers a threat modeling methodology that any software architect can lead effectively — in contrast with other processes, which are more expert-dependent. A few quick notes about the features:



·         Automated guidance and feedback in drawing threat diagrams


·         Guided analysis of threats and mitigations based on the STRIDE taxonomy


·         Integration with bug-and issue-tracking systems like Visual Studio Team Foundation Server


To learn more about these, visit the SDL portal,


By the way, if you are in Barcelona and want to stop by and chat, the session list is below:


SDL Theater Sessions:


·         Getting started with the new SDL Threat Modeling Tool                             


Adam Shostack, Theater 1, Tuesday, Nov. 11, 15:20 – 15:40



·         You could do that but it would be wrong – a discussion of pros/cons of threat mitigations


Michael Howard & Adam Shostack, Theater 1, Thursday, Nov. 13, 10:20 – 10:40


General Sessions:


·         DVP308  How I Learned to Stop Worrying and Love Threat Modeling      Nov. 12, 10:45 – 12:00


·         DVP309  How to Review Your Code and Test for Security Bugs                  Nov. 13, 3:15 – 4:30


·         DVP312  Top Ten Strategies to Security Your Code                                       Nov. 14, 10:45 – 12:00



About the Author
Dave Ladd

Principal Security Group Program Manager