The SDL pond may have seemed quiet over the holidays, but we have three new announcements we hope will make ripples for developers and organization who want to adopt the SDL. We are announcing three new releases at the Black Hat conference in Washington DC today:
1. a new white paper: Simplified Implementation of the Microsoft SDL
2. a new program: SDL Pro Network Tools category and new members
Simplified SDL whitepaper
First up is the release of the Simplified Implementation of the Microsoft SDL white paper. One of the common misconceptions about the Microsoft SDL is that you have to be an organization the size of Microsoft in order to be able to implement it. Another misconception is that the SDL is only appropriate for Microsoft languages and Microsoft platforms, and that you need to use some other methodology if you’re writing code with Ruby for OS X. The Simplified SDL white paper helps address these misconceptions by explaining how the SDL can be implemented with limited resources and applied to any platform. By outlining a minimum threshold that stays true to the core attributes of the SDL, this paper provides an effective model for building an effective security development lifecycle in any organization.
SDL Pro Network Security Tools category and new members
Our second announcement is the expansion of the SDL Pro Network to include a new category of membership, Tools, which will complement the existing Consulting and Training categories. Tools member organizations are able to deploy security tools such as static analysis tools, fuzzers, or dynamic and binary analysis tools. Security tooling is a critical piece of the SDL and we’re excited to have this new Pro Network category to help organizations use their tools and their time more effectively.
We’re also announcing an expansion of the Pro Network to include seven new members:
· Fortify (Tool Member)
· Veracode (Tool Member)
· Codenomicon (Tool Member)
· Booz-Allen Hamilton (Consulting Member)
· Casaba Security (Consulting Member)
· Consult2Comply (Consulting Member)
· Safelight Security Advisors (Training Member)
We welcome our new members and hope you will consider them or our other Pro Network members for your security training, consulting, and tooling needs.
MSF for Agile + SDL Process Template
Last, but not least, we’re releasing the first public beta of the new MSF for Agile Software Development plus SDL Process Template for VSTS 2008, or “MSF-A+SDL” for short. Like the SDL Process Template we released last year, this template helps teams to integrate secure development processes directly into their Visual Studio Team System development environment. However, the MSF-A+SDL template is based on the new SDL-Agile process. MSF-A+SDL also has some completely new features from our previous SDL Process Template offering:
· Automatic generation of SDL task work items for new iterations. Given that Agile projects can live forever (as in the case of web applications or cloud services with no defined “end date”), these projects need to periodically re-complete SDL requirements as defined in the SDL-Agile process. The MSF-A+SDL template accomplishes this by creating new security tasks for the project whenever a user adds a new iteration.
· Automatic generation of SDL task work items for new code. Whenever new Visual Studio projects or web sites are checked into an MSF-A+SDL project’s source control repository, the template will generate new SDL requirements appropriate to that project. For example, if the user creates a new C# web site, the template will add requirements such as disabling ASP.NET tracing, and applying the AntiXss library.
· Much more, that we’ll be posting about here soon
If you’re attending Black Hat this week and would like to see MSF-A+SDL in person, come to Bryan’s talk “Agile Security; or, How to Defend Applications with Five-Day-Long Release Cycles” on Wednesday February 3 at 1:45.
Just in case you missed them inline, here are some handy links: