Geeks With Blogs
Things Mark Flory Forgets Because Who Needs Memory When There is the Internet

Microsoft's SDL Optimization model is for moving your organization along in their Security Development Lifecycle.  The SDL is really born out of a lot of lesson's learned and pain realized by Microsoft over the years.  The idea is to build into your development process a more security centric focus throughout the lifecycle.

The Optimization Model follows this diagram:

Microsofts Security Development Lifecycle Optimization Model

The idea here is to first determine where your organization is at, figure out where you want to be, and determine how to get there.  You start with an introduction document and move from there to a self-assessment.  Depending up on the assessment you will move on to an implementer's guide.

What I find helpful about this is it is difficult to figure out how to move an organization towards more secure development.  It is very helpful to have a demonstrable process that worked for somebody.  The fact that it came from Microsoft's own experiences and they are very enthusiastic about their success with it helps a lot.

It also hurts a little because they have already lined up a number of vendors, their SDL Pro Network, to evangelize the process (i.e. sell services and training).  Don't get me wrong I am all for making a buck but sometimes it can get a little tedious how much they are promoting it within their documentation.

I believe at some point it will be almost a requirement for software vendors (of whatever stripe) to have a demonstrable secure development process (for example the PA-DSS).  Too much money is being lost, too much information is at risk, and something definitely has to be done.  I am not positive that Microsoft's SDL will emerge as the solution for this but at this point it is better than nothing.

Posted on Monday, December 8, 2008 12:49 PM Security | Back to top


Comments on this post: Microsoft's SDL Optimization Model

Comments are closed.
Comments have been closed on this topic.
Copyright © Mark Flory | Powered by: GeeksWithBlogs.net