The latest version of the MSF Agile and SDL Process Template for Visual Studio 2010 is due for release on 27 May,...
says Bryan Sullivan, senior security program manager at Microsoft.
This is the latest in the series of free tools Microsoft is making available to support the company's Security Development Lifecycle (SDL).
Microsoft introduced the SDL in 2004 to standardise secure software development practices across all product lines.
The first version of the template for applying SDL methodology to agile or iterative software development process was released at Black Hat DC 2010 in February.
The template ensures that any code checked in by developers complies with SDL practices and automatically tracks manual processes to prevent them being overlooked.
The SDL is a "ton of work" and definitely a "non-trivial" process says Sullivan.
The latest version of the SDL has over 100 requirements, which means the process is possible only with the use of tools, he said.
"Tools make the SDL possible, and into the future, there is likely to be a tool to support every new requirement," he said.
The reliance on tools, however, does not mean that the SDL is only for large organisations, said Sullivan, as there are
free tools for the every phase of the SDL that can be downloaded from Microsoft.
In addition to the agile development templates, these include tools for threat modelling and protection of web applications.
Microsoft's threat modelling tool is important because it helps developers to ask the right security questions about things like processes and data flows, said Sullivan.
It is not enough for developers just to think like an attacker, he said, they need a tool that will raise questions about vulnerabilities to the main categories of threats.
These include spoofing, tampering, repudiation, information disclosure, denial of service and [privilege] elevation, said Sullivan.
Unlike most other secure development tools, Microsoft Web protection library is used during the development process, he said, to make Web applications more resistant to common attacks, such as cross-site scripting (XSS).
"The XSS library enables developers to write applications that encode input text so that it cannot be interpreted as code and that strips out any potentially malicious text," said Sullivan.
Debunking the myth that SDL only works for large Microsoft shops is among future SDL initiatives he said.
"Not only has Microsoft made all the tools to support SDL available at no cost, but it has issued a simplified version of the SDL that makes it applicable to any organisation," said Sullivan.