14 DAY TRIAL // On September 16, Steve Lipner, senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group, announced the company's intentions to share its security model with the rest of the software industry. In this regard, Lipner indicated that the Redmond giant would make available the SDL Optimization Model, the SDL Pro Network, and the Microsoft SDL Threat Modeling Tool come November 2008. David Ladd, a 17-year Microsoft veteran and a senior security program manager on the Security Engineering Strategy Team, discussed in detail the initiative related to building a network of SDL experts designed to offer consultancy and training to companies looking to implement Microsoft's security model.
"First, Microsoft is, and always will be a partner-driven company - we rely on the skills and capabilities of our partners to provide specialized services and broad geographic coverage for Microsoft products and services. Second, even though there are talented folks in the Microsoft Services organization, it's clear that we will need help from our partners to scale to meet the demand. I can't tell you how many times the folks on the SDL team have been approached by people - after an executive briefing, or a session at TechEd - asking for guidance in implementing SDL in their own organizations. When we look at the demand and pair it with the geographic diversity of our customer base, it's clear that a partner approach is the right answer," Ladd explained.
Windows Vista and then Windows Server 2008 have been Microsoft's first Windows client and server operating systems to be developed entirely under SDL. As far as Vista is concerned, Microsoft managed to hit its initial goal, namely to reduce in half the volume of vulnerabilities compared to Windows XP. With the SDL Pro Network Microsoft will go with a few of its closest partners which are already involved in implementing the SDL model. This is valid for the pilot phase of the program, which is planned to span for the first year after debut. Still, Ladd promised that Microsoft will without a doubt expand the SDL Pro Network to additional partners as the pilot program will come to an end.
"Despite the customer demand for SDL that I alluded to above, starting with a small pilot was the right thing to do; a small group of trusted consultancies supports our imperative for quality and it allows us to pragmatically grow the SDL Pro Network as the market matures. As we continue to evolve and innovate with the SDL, we'll have a strong core of partners to help drive the software security message," Ladd added.