Teams developing applications using Microsoft Visual Studio Team System 2008 (VSTS 2008) can now better implement Microsoft's security development lifecycle (SDL) process using a new template addition.
On Tuesday, Microsoft released its SDL Process Template for VSTS 2008. The release closely follows the availability of VSTS 2008 beta 1, announced last week, as well as Monday's announcement of Visual Studio 2010 beta and .NET Framework 4.0 beta.
The new SDL Process Template leverages both VSTS 2008 and Team Foundation Server. It supports "auditing for satisfying the security requirements" at organizations developing applications, according to Microsoft's SDL blog. The blog provides a walkthrough showing how the template works.
The new template fulfills a long-awaited need, according to Chenxi Wang, Forrester Research's principal analyst for security and risk management.
"This new release embeds SDL processes inside Visual Studio, which users have been asking for a while now," Wang said. "Other software security vendors have long been producing plug-ins for Visual Studio. But Microsoft had not yet crafted any of their SDL process into Visual studio, and this new announcement represents the beginning of Microsoft doing that."
The embedding of SDL processes also helps because applications increasingly are becoming a security attack vector.
"Attackers are now targeting application vulnerabilities at a much higher rate than vulnerabilities found in the OS or browser," said Rob Sanfilippo, research VP for developer tools and platforms at Directions on Microsoft. "This way, development guidance and tools like those just released by Microsoft can be valuable for ISVs and corporate development teams, even those not using Microsoft's VS development platform."
Microsoft has been publishing its security development guidance based on its internal processes since 2004, Sanfilippo added. He described this latest SDL push "a step forward" but said there are still some enhancements to be made to the process.
"For example, the template doesn't take advantage of new features coming in VSTS 2010 such as modeling and new test features, and the threat model tool could be more tightly integrated with the IDE," he said. "The SDL team releases new offerings approximately annually, so we'll probably see enhancements such as these next year, which should be about six months after VS/VSTS 2010 ships."
The SDL Process Template for VSTS 2008 can be downloaded here.