The security best practices that helped Microsoft secure products including Windows 7, Windows Server 2008 R2 and Office 2010 will have a consulting services option associated with them starting next month.
According to David Ladd, Principal Security Program Manager, Microsoft’s SDL team, the move was necessary per the input the company received from adopters of the Security Development Lifecycle outside of Redmond.
Essentially, the software giant will be directly engaged with customers as they embrace SDL starting in February 2011.
“I am pleased to note that on Feb. 21, 2011, Microsoft Services will begin offering Security Development Lifecycle (SDL) consulting services for customers that want Microsoft involvement in their adoption of the Microsoft SDL.
“The services include a variety of training and guidance on the various aspects of the SDL. This is a paid consulting service and prices will vary according to the extent of Microsoft's consulting involvement,” Ladd explained.
Of course, all the SDL resources, tools, guidance, etc. that the software giant has been sharing with third-party developers for years now are available free of charge, and in fact, will continue to be free of charge.
As far as the Windows client is concerned, the benefits associated with SDL have been clearly visible with releases such as Windows Vista and Windows 7.
Windows 7 for example is plagued by less vulnerabilities than its predecessors, and where security holes do exist, they’re harder to exploit through attacks because of the added mitigation layers introduced by Microsoft.
However, in the end, Windows is only as safe as the sum of its parts, especially after users install a number of software applications.
A recent report from security firm Secunia for software in the Top-50 portfolio, which includes prevalent technologies such as Internet Explorer, .NET Framework, Sun/Oracle Java, Adobe Reader, and Adobe Flash, reveals that the programs introduced in Windows 7 added some 709 vulnerabilities in 2010 alone.
Microsoft does offer comprehensive help to third-party developers by sharing SDL with the world, and with the upcoming consulting services, but devs need to also understand that they have a responsibility to build secure software.
Attack Surface Analyzer is available for download here.
The BinScope Binary Analyzer is available for download here.
SDL Threat Modeling Tool 3.1.6 Beta is available for download here.