Today, Microsoft has announcedthat its Security Development Lifecycle (SDL) has been released to the general community under a Creative Commons license.
The Microsoft SDLis a huge resource of guidelines, whitepapers and training materials which Microsoft uses to secure their development process. It has traditionally been available to customers who wished to purchase this information (at considerable expense) to implement Microsoft’s internal best practises to secure their own software development cycles, audit procedures and perform code reviews. This content could not be reproduced or included in any customer documentation without the express written permission of Microsoft.
This information is now completely available under a Creative Commons license for any customer or partner who wishes to access it, although licensing of Microsoft SDL tools remains unchanged. Any and all existing documentation will also be released under the same open license model.
Microsoft hopes that “…by making the SDL documentation more accessible and portable, that more people will start doing secure development and realizing the benefits of incorporating security and privacy throughout the development lifecycle.”
The significance of this announcement is that demonstrates a healthy approach by Microsoft to the democratisation of security and privacy information. A criticism which has been levelled at software vendors over time is that their desire to protect proprietary intellectual property serves as a barrier to the widespread adoption of advanced security practises throughout the software industry. Compared with the high level of knowledge sharing of vulnerabilities and exploits in the black hat community, by attempting to maintain rigid control of their products ISVs have, in many respects, only exacerbated the problem.
The release of SDL under a Creative Commons license now allows customers to make changes, and reproduce and redistribute this information. Over time, we can expect to see industry-a nd platform-specific guidelines emerge from the developer and security communities.
Of course, releasing the SDL does not overcome the issue of ISVs and IP protection, but it is an encouraging sign that Microsoft is committed to actively engaging with security and development professional, and the long-term impact on the software industry in general will be significant.
May all the people who still criticise Microsoft for lax security forever hold their peace. Now our eyes turn to Adobe and the other ISVs who’s software has holes big enough to drive a borg cube through and not even scratch the sides. Well done Microsoft.