Microsoft has published guidelines for developing secure
software rapidly.
The guidelines are aimed at helping corporate software
developers and independent software vendors to speed up coding
processes without
compromising on security.
The guidelines for fast, intensive
iterative or agile coding methods are an adaptation of
Microsoft's standard
Security Development Lifecycle (SDL).
Microsoft introduced the SDL officially in 2004 to standardise
secure software development practices across all product lines.
Internal demand for faster turnaround times for some development
times led to the adaptation of the SDL for iterative
programming.
The tried and tested SDL for agile development is now available
by
free download from Microsoft.
"We want to make the SDL available to as many developers as
possible," said
Steve Lipner, senior director of security engineering strategy
at Microsoft.
The aim is to improve security for all users of the internet and
software applications by helping all developers to create code that
is inherently secure, he said.
An increasing number of organisations are turning to faster
development cycles as a way of maintaining a competitive edge and
keeping up with business needs.
Some 85% of technology industry professionals have recently
adopted, are midway through or have a mature implementation of
agile development methods, according to independent research, said
Lipner.
Instead of the phased approach to SDL, the new guidelines show
how to apply the principles to much shorter "sprints" of
development aimed at faster delivery.
Some principles are applied to every sprint, while others are
applied only once during a development project or in six-monthly
cycles, said Lipner.
Threat modelling, for example, is mandated for every sprint. But
setting up of a bug tracking system will happen only once in a
project, and something like
fuzzing or the testing of how malformed input is handled is
done only every six months, he said.
"In this way all the principles of the SDL are applied, but not
in a way that is counter to the development methodology," said
Lipner.