Microsoft to share in-house security lessons

The company said on Tuesday that it will be releasing the details on several of its in-house Secure Development Lifecycle (SDL) concepts as freely available tools.

The effort will initially consist of three programmes, each designed to bring Microsoft's newly-developed security policies to other vendors.

The first will be an auditing system known as the SDL Optimisation Model. The system will allow developers to obtain a general security overview on their products and find possible holes in the development process.

The second will be the formation of a security consultant network. The Pro Network will aim to connect software developers with security firms in order to build software which is better able to withstand attack.

Initially, this will be limited to a small test network, although the company hopes eventually to open registration to outside firms.

The third part of the programme will be a piece of software known as the SDL Threat Modeling Tool which models a developer's code and points out potential security holes within an application.

Each of the three programmes is based on Microsoft's SDL system launched in 2004. The system was Microsoft's attempt to improve its overall product security by implementing security measures in every facet of the development process, and was used to develop Vista and Office 2007.