Microsoft updates SDL for agile development

Microsoft has published guidelines for developing secure software rapidly.

The guidelines are aimed at helping corporate software developers...

Microsoft has published guidelines for developing secure software rapidly.

The guidelines are aimed at helping corporate software developers and independent software vendors to speed up coding processes without compromising on security.

The guidelines for fast, intensive iterative or agile coding methods are an adaptation of Microsoft's standard Security Development Lifecycle (SDL).

Microsoft introduced the SDL officially in 2004 to standardise secure software development practices across all product lines.

Internal demand for faster turnaround times for some development times led to the adaptation of the SDL for iterative programming.

The tried and tested SDL for agile development is now available by free download from Microsoft.

"We want to make the SDL available to as many developers as possible," said Steve Lipner, senior director of security engineering strategy at Microsoft.

The aim is to improve security for all users of the internet and software applications by helping all developers to create code that is inherently secure, he said.

An increasing number of organisations are turning to faster development cycles as a way of maintaining a competitive edge and keeping up with business needs.

Some 85% of technology industry professionals have recently adopted, are midway through or have a mature implementation of agile development methods, according to independent research, said Lipner.

Instead of the phased approach to SDL, the new guidelines show how to apply the principles to much shorter "sprints" of development aimed at faster delivery.

Some principles are applied to every sprint, while others are applied only once during a development project or in six-monthly cycles, said Lipner.

Threat modelling, for example, is mandated for every sprint. But setting up of a bug tracking system will happen only once in a project, and something like fuzzing or the testing of how malformed input is handled is done only every six months, he said.

"In this way all the principles of the SDL are applied, but not in a way that is counter to the development methodology," said Lipner.

Read more on Operating systems software

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.