The US ISV Team introduced the concept of SDL in the Tech-Ed EMEA 2008. SDL includes 3 main elements:
- SDL Optimization Model.
- SDL Pro Network.
- Microsoft SDL Threat Modeling Tool.
You can read more about all that here.
Now for my personal view of this process… One of the challenges that each application should confront is the security. In order to validate and insure that your application is secure, a process of finding and validating the security aspects of the application must be combined in the application lifecycle development process (ALM).
Why on earth should there be an ALM process and a SDL process? Why not combining them all together? The SDL is a sub process of the ALM, right?
In that case and for those of you how use Team System as the ALM tool, you must realize that not much thoughts have been given to security. Yes you can create work items as tasks to validate the security or create a threat plan, however I believe that we require a better offering. There should be tools, rules, and process that covers security aspects.
Who knows maybe we will see some progress in team system 2012… P-)