Following comprehensive in-house efforts to bulletproof its software products as much as possible, in 2008 Microsoft made a move designed to share the Security Development Lifecycle process with third-party developers. At that time, the Redmond company chose to make available SDL 3.2 resources to the developer community. A year later, the SDL 4.1 process release followed, with Microsoft steadfast on the path of Trustworthy Computing. But fact is that the SDL can ultimately benefit end users only if the process is adopted in the development of not only Microsoft products, but also that of third-party applications. In this regard, David Ladd, senior security program manager on the Security Engineering Strategy Team, squashed the myth that the SDL "only works for Microsoft" or "is only suitable for development on Microsoft platforms."

“Honestly, that's a bit of a shocker for me. Security training, threat modeling, static code analysis, fuzz testing and other security actions performed as part of the SDL are not proprietary to Microsoft or the SDL. While the 4.1 documentation is focused on how the SDL is applied at MS, it doesn't require a Nobel Laureate to see that many of the things that make up the SDL are simply good security practices. So, I'd encourage people to take a look at the requirements and recommendations that are listed in the document and form your own conclusions,” Ladd explained.

At this point in time, developers can access a variety of resources from Microsoft, designed to help them boost the level of security for their code. The Redmond company is offering SDL Optimization Model, the SDL Threat Modeling Tool, and the SDL Pro Network all for free to devs looking to achieve a standard of security on par with what products like Windows Vista and Office 2007 bring to the table.

“We've illustrated the changes that one would expect of a living process – the expected fine tuning of our SDL requirements and recommendations to reflect changes in the security space. In addition, we have included information on how the SDL is applied to online services (i.e. Microsoft publicly available websites) and how we use the SDL to build line-of-business (LOB) applications for internal use at Microsoft. The changes specific to online services and LOB are called out in the text for easier review,” Ladd added.