Microsoft issues security guidelines for Agile developers

Redmond seeks to pass on security lessons to other developers

By Jeremy Kirk
Published: 12:51 GMT, 09 November 09

Microsoft will release guidelines for developers building online applications and for those using the Agile code-development process.

The Agile guidelines apply principles from Microsoft's Security Development Lifecycle (SDL) to Agile, an umbrella term for a development model frequently used for Web-based applications released under short deadlines, called "sprints."

Microsoft adopted the SDL following the company's pledge in 2002 to build more secure code after several high-profile worms and other malicious software posed dangerous risks to its customers.

Microsoft to launch SQL Server Modeling preview | Microsoft, Novell defend alliance

But the original SDL doesn't fit the Agile process. Agile differs in that developers have a set time in which to develop certain features, after which the application is immediately released in order to get customer feedback, said Bryan Sullivan, security program manager for Microsoft.

The SDL was originally designed for products, such as the Windows OS, that are non-iterative, meaning that there aren't frequent releases of the product that add just a feature or two. However, all of the SDL requirements have been adopted for the Agile process, but implemented differently, Sullivan said. Agile is used by 85 percent of technology industry professionals, according to Forrester.

Microsoft breaks the SDL down into three requirements: one-time only tasks, those that need to be done for every sprint, and finally "bucket" tasks, which need to be repeated periodically -- such as every six months -- but not for every sprint, Sullivan said. The Agile guidelines will be available on Tuesday on www.microsoft.com.

Microsoft is also releasing a white paper on security for online Web applications. As those applications are increasingly interacting and exchanging information, security is paramount, said Steve Lipner, senior director of security engineering at Microsoft's Trustworthy Computing Group.

The white paper outlines key security issues that developers should consider for web applications, Lipner said. It also discusses security issues that developers should think about when choosing a hosting provider, such as data and physical security.

What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.

Characters remaining: 500

Related Security news

SecureWorks nabs dns for UK footprint

Edinburgh services outfit brought into empire.

08 December 2009

Report predicts rise of self-defending botnets

I spam therefore I am.

China warns of Skype phishing attack

A rare warning from China's cyberthreat response group

New cloud hacking service steals Wi-Fi passwords

WPA Cracker can break passwords in just 20 minutes

Related Security reviews

Alwil Avast! Professional Edition 4.8

McAfee VirusScan Plus 2010

Avira AntiVir Premium Edition

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Service-oriented security

SOA has become an integral part of enterprise software by providing a framework to efficiently develop software as services that is easily sharable, reusable, and integrated. No where is the need more apparent than in the Identity Management space. Welcome to the age of Service-Oriented Security (SOS).

Download Whitepaper

Data protection prospective vendor checklist

Organisations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist.

Download Whitepaper

Unlock the power of the mainframe

This whitepaper presents the notion of CICS as an integration hub based on a component-based, service-oriented architecture supporting Web services. Highlights will review the challenges and contrasted support for Web services natively in CICS.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper

Enterprise communications and collaboration in a fast changing world

With capital expenditure budgets drastically reduced, the IT team is facing an unprecedented challenge: just how can it meet demands for more flexible working and improved productivity without embarking upon a sustained investment program.

Download white paper

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *