Microsoft, a company once regarded at the periphery of the security universe, has slowly made its way to the center, and come November 2008, will be the source of a new model for developers industry-wide to follow. The Redmond company is looking to share the Security Development Lifecycle (SDL) debuted in 2004 with the world. Microsoft is currently cooking the SDL Optimization Model, the SDL Pro Network, and the Microsoft SDL Threat Modeling Tool for availability this fall.

“The Microsoft SDL Optimization Model was created to facilitate consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft,” stated Steve Lipner, senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group. “It allows development managers and IT policy-makers to assess the state of their secure software development practices and to create a vision and road map for reducing customer risk. In November, we will make the model freely available via a download on MSDN.”

By sharing the Microsoft SDL Optimization Model with the members of the software industry, the Redmond giant aims to catalyze a new level of security and privacy in technology, especially products focused on the Cloud. As an integral part of the company's efforts, Microsoft is ready to offer its own internal threat modeling tool as a free download in November.

“The tool allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. Most importantly, it offers a threat modeling methodology that any software architect can lead effectively, in contrast with other processes, which are more dependent on security experts,” Lipner explained.

But the Microsoft SDL Threat Modeling Tool is only one part of the equation. Microsoft is in fact ready to do much more. Also in November, the SDL Pro Network will become live. Lipner indicated that the network would start along with a one year pilot phase during which time membership would be limited.

“We created the SDL Pro Network, which combines guidance and SDL best practices with the expertise of security service providers, to address the challenges developers are facing with attacks moving up the stack and into the application layer,” Lipner revealed.