Microsoft gets Agile with its Security Dev Lifecycle

From the ‘Defense in Depth‘ files:

Microsoft is rethinking how to do security in an Agile (as in Agile development) world.

They have now issued new guidance for the Security Development Lifecycle (SDL) process that outlines how Microsoft thinks about and implements secure coding practices.

The new document, officially carries the version number 4.1a and is a 130 page behemoth that is hardly light reading. Of its 130 page heft, pages 45 to 53 are the news ones on Agile (no it’s not much, but it might be enough).

 “There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality,” the new Microsoft guidelines state. “There is very little “secure Agile” expertise available in the market today. This needs to change.”

The whole idea behind Agile is to rapidly iterate and release code. It is a core process used by most (if not all) open source developers where nightly builds are commonplace.

I would be the last person to state that Agile leads to insecure code, though I can see where the idea comes from.

News Around the Web