Microsoft is releasing a beta of a free, downloadable template for applying Security Development Lifecycle (SDL) methodology to the Microsoft Solutions Framework (MSF) for Agile Software Development process. The MSF for Agile Software Development plus SDL Process Template for Visual Studio Team System 2008 lets developers integrate the SDL-Agile secure development methodology directly into the Visual Studio development environment. A beta template for Visual Studio 2010 will be available shortly after Microsoft releases that product in April. A final release of both templates is currently scheduled for the second quarter of 2010.
With the MSF-Agile+SDL template, any code checked into the VSTS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices. The template also automatically creates workflow tracking items for manual SDL processes such as threat modeling to ensure that these important security activities are not accidentally skipped or forgotten. Finally, they integrate with the other SDL tools, including the SDL Threat Modeling Tool, the Binscope Binary Analyzer, and Minifuzz.
The new templates are similar in concept to the SDL Process Template Microsoft released in 2009. The key difference is that the MSF Agile + SDL template follows the SDL-Agile process instead of the SDL-Classic process. The MSF Agile + SDL template also has some unique new features to accommodate the requirements of SDL-Agile, such as the following:
- Automatic generation of new targeted work items in response to the user checking in code. For example, if the user checks in a C++ project, the template will automatically add the appropriate SDL requirements concerning C++ security. Or if the user checks in C# code for a Web site, the template will add requirements for .NET Web security.
- Automatic generation of new work items in response to the user creating new sprints. Given that Agile projects can live forever (as in the case of cloud services with no defined end date), these projects need to periodically re-complete SDL requirements. This process is defined in the SDL-Agile process guidance and is implemented in the MSF Agile + SDL template.
The new templates are targeted at users of Visual Studio Team System 2008 Team Foundation Server or Visual Studio 2010, including developers, testers, architects, project managers and development managers.