Not so long ago the Microsoft Security Development Lifecycle team announced the release of Microsoft SDL Process Template for Visual Studio Team System. This new template is designed to work with TFS 2008 and makes writing secure code much easier. The new SDL template has a solution that reduces the barrier to entry for SDL adoption, provides auditing for satisfying the security requirements, and helps demonstrate security return on investment.

There is a short overview of its options:

The Process Guidance page provides a security owner with five steps for Getting Started on an SDL project, and details on customizing the template and extending it for third party security tools.

For developers, who care about security, but want it to be intuitive, the SDL Process Template includes check-in policies. These policies ensure every check-in of code is taking advantage of the SDL required compiler/linker flags and Code Analysis features already in Visual Studio. This will eliminate entire classes of security weaknesses from the code!

Testers want to be able to emphasize the importance of a security bug and properly communicate the impact to their product. The default “bug” work item now has customized security fields so one can identify security severity, and security cause/effect (using STRIDE), and mark a bug as “Blocking” or “Not Blocking.” This feature allows tracking and searching for security-specific bugs.

For the management team there are the Final Security Review Report and Security Bugs Report, which provide an auditable set of artifacts that details security work completed as well as deferred tasks.

Actually, the new SDL template addresses the challenge of making the code more secure. More deailed overview may be found here.