Microsoft integrates Visual Studio with security tools

Microsoft Tuesday said it will deepen ties between its Visual Studio development tools and the secure applications development processes first developed inside the company and now available to outsiders.

Microsoft will upgrade its Security Development Lifecycle (SDL) process with templates, new partners and supporting documentation. The company made the announcement at the Black Hat Conference. SDL, which was born from a 2002 Bill Gates mandate on secure code, is a process Microsoft has used since 2004 to develop software.

The process includes development of threat models during software design, the use of code scanning tools during implementation, and code reviews and security testing.

Microsoft Tuesday said it would shortly release a beta of a template for rapid applications development that works with Visual Studio Team System 2008/Team Foundation Server and integrates SDL with the Microsoft Solutions Framework (MSF) and Agile development practices. Agile development is based on process management with multiple check-ups on the work along the way. The final release will come before the end of June.

The template automatically creates workflow items to meet SDL security requirements each time code is checked in to the server. There is also an analyser feature to ensure code meets SDL guidelines.

In addition, Microsoft has created a Reader's Digest version of the implementation guidelines for the SDL, focusing on the fact that SDL applies beyond Windows and shrink-wrapped software and does not require Microsoft specific tools.

Microsoft also said it was expanding its lineup of partners that help users implement SDL, including a new tools category. New for the tools category are Fortify, Veracode and Codenomicon, the new training member is Safelight Security Advisors and the new consulting members are Booz-Allen Hamilton, Casaba Security and Consult2Comply.