As if Microsoft hasn't been busy enough with developer news – the Professional Developer's Conference (PDC) and Windows Hardware Engineering Conference (WinHEC) just took place, separated by one week – the company also has a Tech-Ed show taking place in Barcelona, Spain.
At Tech-Ed EMEA 2008, Microsoft (NASDAQ: MSFT) introduced new programs and tools modeled after the company’s internal Security Development Lifecycle (SDL) process that enables software developers to create more secure and privacy-enhanced applications.
SDL is a methodology for developing and programming that Microsoft created in-house and refined over the lifecycle of several major product releases and over a multi-year period. It's a series of best practices for developers and designers to evaluate and consider security issues from the moment they design a product, instead of tacking on security as an afterthought, or not doing it at all.
The result has been to make Microsoft products more secure, although by no means perfect, given their complexity. Windows XP, developed before SDL, had 119 vulnerabilities discovered in its first year of availability. Windows Vista, developed with SDL practices, had just 69 disclosed vulnerabilities in its first year.
"Developers are under increasing pressure to deliver more complex applications that work across a variety of devices, but with fewer resources and less time," said Jason Zander, general manager of the Developer Division at Microsoft, in a statement.
Helping to simplify the development process
"We continue to refine Visual Studio and the .NET Framework to help simplify the application development process and ultimately improve the day-to-day experience for anyone building, managing, deploying or using applications and services," Zander continued.
Microsoft introduced three elements to SDL: SDL Optimization Model, SDL Pro Network, and Microsoft SDL Threat Modeling Tool Beta. The Optimization Model is a free model for facilitating gradual, consistent and cost-effective implementation of the SDL.
The Pro Network is a network to help guide and support software developers in implementing SDL in their environments. The free Modeling tool provides guidance in drawing threat diagrams, guided analysis of threats and mitigations, integration with bug tracking systems and reporting capabilities.
Zander showcased the enhancements planned for Visual Studio 2008 SP1 and the .NET Framework 3.5 SP1, which were part of both PDC and WinHEC as well.