You might remember it: January 15th, 2002 Bill Gates wrote the famous memo on Trustworthy Computing to all the employees at Microsoft. This was probably one of the biggest initiatives at Microsoft and radically changed the way we develop software (and much, much more). I remember when I was the first time on stage talking about Trustworthy Computing in 2002. I said that this is an industry initiative and not something for Microsoft only. A lot of people just smiled at me and told me that this was just another try to get out of our responsibility and blame the industry for our problems. However, we came a long way since then.
If you look at Billâ€™s memo back in 2002, there are a few remarkable statements in there, when it comes to the industry collaboration piece. He said that â€œWe must lead the industry to a whole new level of Trustworthiness in computing.â€ and â€œItâ€™s about smart software, services and industry-wide cooperation.â€
So, we started to introduce a processes we called the Security Development Lifecycle at Microsoft. The process on a high level looks pretty familiar (I hope at least):
The effect of this process was pretty impressive. Letâ€™s look at a few key figures from our latest Security Intelligence Report. If we investigate the Security Bulletins we had to release in H1 2008 and compare the impact on Windows Vista and Windows XP, it looks like that:
And our overall share of the industry-wide vulnerabilities dropped constantly:
It definitely had an effect on us â€“ but we always wanted to share what we are doing within Microsoft to help you as developer to profit from what learned.Â So, we made SDL available since quite a while as books, trainings etc. Today we go an addition step to help to reduce the other 97% of the industry-wide vulnerabilities as well.
Today we announce the availability of a template for Visual Studio, where you can integrate SDL in Visual Studio Team System â€“ and I tell you, this is really, really cool. And as always with such initiatives it is for free!
As a teaser, here are a few screenshots:
This is the guidance page on SDL â€“ kind of your starting pointÂ
To run your project, you have a dashboard view
and last but definitely not least you have an overview over the SDL requirements
and there is much, much more!
Now, I leave the word to the real pros. Read the blog post by our SDL team: Making Secure Code Easier
I wish you all a lot of success implementing SDL and letâ€™s reduce the industry-wide vulnerabilities
And â€“ by the way â€“ did I tell you already that we make it available for FREE ?