Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

November 2009
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Microsoft gets Agile with its Security Dev Lifecycle

By Sean Michael Kerner on November 9, 2009 1:32 PM
msft.jpg
From the 'Defense in Depth' files:

Microsoft is rethinking how to do security in an Agile (as in Agile development) world.

They have now issued new guidance for the Security Development Lifecycle (SDL) process that outlines how Microsoft thinks about and implements secure coding practices.

The new document, officially carries the version number 4.1a and is a 130 page behemoth that is hardly light reading. Of its 130 page heft, pages 45 to 53 are the news ones on Agile (no it's not much, but it might be enough).
 "There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality," the new Microsoft guidelines state. "There is very little "secure Agile" expertise available in the market today. This needs to change."
The whole idea behind Agile is to rapidly iterate and release code. It is a core process used by most (if not all) open source developers where nightly builds are commonplace.

I would be the last person to state that Agile leads to insecure code, though I can see where the idea comes from.

If Agile is just about code sprints without code reviews, then the likelihood of insecure code being introduced is high. Then again full scale reviews can be very burdonsome, especially from a Microsoft standpoint.

In its news guidance, Microsoft noted that the Secure Development Lifecycle  additions to Agile processes must be lean.
"This means that for each feature, the team does just enough SDL work for that feature before working on the next one," Microsoft's guidance states. "Second, the development phases (design, implementation, verification, and release) associated with the classic waterfall-style SDL do not apply to Agile and must be reorganized into a more Agile-friendly format."
It's kind of odd for me to think that Microsoft didn't already have secured practices in place for Agile development. Then again, Agile historically was not a method that big projects like Windows or Office followed.

Times do change.

Microsoft seems to now be moving forward faster and with it they've embraced what open source developers have known all along. Rapid code iterations can lead to better software and yes it can be secure too.

| Comments (0) | TrackBacks (0) | Share

0 TrackBacks

Listed below are links to blogs that reference this entry: Microsoft gets Agile with its Security Dev Lifecycle.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/9232

Leave a comment