Microsoft releases Security Development Lifecycle process template, with free docs

On Tuesday, Microsoft released its Security Development Lifecycle (SDL) Process Template and documentation on the new 4.1 SDL version free to all applications developers -- including those who aren't using the company's development tools.

Microsoft's not the first company to think about incorporating security scrutiny somewhere in the development process, but there's no industry-wide standard for doing so; even the IEEE's SESC Framework hasn't provided any significant mention of security concerns. Microsoft's idea is to integrate security concerns into every step of the development process, and Microsoft counts six of them: setting project requirements, design, implementation, verification, release, and response (support and service).

The Process Template includes various tools and components, including security-aware check-in policies, guidance for customizing an SDL security plan for the product under development, risk-assessment and threat-modeling help, and the like. It can install SDL requirements as work items and integrates with many third-party tools. The documentation, which anyone can download, provides any developer who wants it a detailed look at how Microsoft's framing its development lifecycle to maximize security input in the process without causing nervous breakdowns on the dev team.

The SDL, which grew out of the seven-year-old Trustworthy Computing effort, has been mandatory since 2004 for Microsoft developers working on Internet-facing or enterprise-class projects, when it became exquisitely clear that the company needed a suite of repeatable, quantifiable processes for mixing peanut butter and chocolate the development cycle and security scrutiny. (XP Service Pack 2 and the .NET framework were two early projects developed under the system.)

The resulting drop in Microsoft vulnerabilities discovered post-release since was striking. According to Microsoft statistics, in the first year after XP's initial release, 119 critical or important vulnerabilities turned up; in the first year after Vista's launch, just 66 were spotted.

As SDL implementation spread, so did the improvements, with sharp vulnerability decreases in IE7 and SQL Server 2005, both of which are SDL-era releases. (SQL Server's numbers in particular are eye-catching, with just 3 disclosed vulnerabilities for 2005 in the first three years, compared to 34 in the first three years of SQL Server 2000 -- a 91% drop. IE7 showed a 35% decrease in all vulnerabilities and a 63% decrease in critical- or important-level vulns.) Globally, according to the IBM X-Force 2007 and 2008 reports, Microsoft saw its global share of disclosed vulnerabilities drop from 4.2% in the first half of 2007 to 2.5% a year later -- from first place (in a contest no one wants to win) to third.

With five years and a solid track record under SDL's belt, Microsoft has been looking to share some portion of what it's learned with the outside world, even if the outside world is using other development tools. It's about process transparency, yes, but there's a very practical aspect to it too: Hackers nowadays overwhelmingly target applications, not operating systems.

"Its just better for the ecosystem," says David Ladd, principal security manager of the SDL team, especially since generally speaking developers want to do the right thing by their customers -- meaning, not sell them software full of danger and fail.

A 2007 Gartner study indicates that all help "doing the right thing" would probably be useful. In the firm's survey, an astonishing 70% of enterprises that performed security testing were doing so on shipping products. No one in that study was thinking about security at the design phase and only 10% were addressing issues during implementation, with the remaining 20% slipping in a glance during pre-release verifications.

In contrast, the SDL specifies 13 significant stages over the six phases of the development lifecycle, from cost, risk, and attack-surface analyses early on to fuzz testing, repeated privacy reviews, and even response planning as the product nears market.

"Privacy is a full partner to security as far as the SDL is concerned," says Ladd, which ought to get the attention of any number of companies balefully eyeing new regulations.

Developers and security folk, of course, are generally perceived to be as mutually hostile supermodels and cheeseburgers. But Ladd tells Betanews that's not only a bad attitude but an unfair stereotype; since the SDL has been implemented at Microsoft, any pushback from developers has long since gone by the wayside. It helps that the SDL is designed to translate security thinking into the developer worldview. "To the extent that the process isn't asking [developers] to do stuff that doesn't make sense, they're fine," Ladd says.

The process does add some overhead, particularly at first; one developer to whom Betanews spoke estimated that lifecycle costs for that firm's projects increased about 20% the first time around, with improvement over time. On the other hand, the process provides both auditable information on security requirements and status, but it can demonstrate a return on investment for security expenditures. Proving negatives -- how many attacks a company doesn't suffer -- is a notoriously miserable problem for security, especially at budget time; the SDL offers metrics.

Also on Tuesday, the SDL team announced that it was expanding its "SDL Pro Network" by two members. That pilot program, which was developed both to help introduce SDL to the wider world and to garner additional feedback for refining the process, began in September with nine training and consulting members (IOActive, Leviathan, iSEC Partners, Verizon Business, Cigital, Security Innovation, Security University, the UK's next Generation Security Software, and Germany's n.runs).

The two newest members are SAIC, one of the federal government's largest tech contractors, and SANS, well known for its training programs. Both are DC-area firms with a significant presence in current cybersecurity discussions there; it wouldn't be Microsoft if there wasn't at least a hint there that the company's thinking big thoughts about a big future for its road-tested SDL.