RSA Conference, San Francisco, CA

It was truly a pleasure to meet all the attendees of the RSA Conference in San Francisco, CA. Some truly smart folks out there focused on data security and privacy.

If you attended the conference and stayed at one of the RSA 2010 conference hotels, you probably got  a hotel key card like the one below that talked about the Microsoft Security Development Lifecycle (SDL) and the products that are made with it, such as Microsoft Forefront.  You may have also attended the RSA Conference Keynote address by Scott Charney, Microsoft Corporate VP of Microsoft Trustworthy Computing, where Scott talks about creating a safer more trusted Internet. Scott referenced the Microsoft SDL a few times. 

RSA 2010 Conference Hotel Key Card

To quickly summarize, the Microsoft SDL helps achieve that in many ways. We do this through three key ways: Microsoft SDL process guidance, SDL tools, and the SDL Pro Network members.

The Microsoft Security Development Lifecycle (SDL) helps companies secure data and privacy for their organizations and their customers.

In the last few years alone, the Microsoft SDL group has updated the Microsoft SDL process guidance, created new Microsoft SDL tools, and introduced SDL Pro Network members who help companies implement and adopt the Microsoft SDL.

The Microsoft SDL contributes to innovation and success in the following ways:

  • SDL for Agile helps vendors and software development contractors write more secure code. Microsoft released the SDL for Agile process guidance at the Microsoft TechEd Europe Conference. SDL for Agile enables companies with short release cycles to use the Microsoft SDL best practices and tools.
  • Simplified SDL helps companies integrate security practices in their own software development processes. Simplified SDL provides a minimum threshold for SDL compliance.
  • SDL Template tools help ensure code compliancy. Microsoft recently released the SDL for Agile template and the Microsoft SDL Process templates for Microsoft Visual Studio Team System (VSTS) 2008 that help development teams make sure that any code they write complies with SDL secure development practices. These templates also help with security workflow tracking.
  • SDL threat modeling helps companies discover and correct design-level security problems. Threat modeling is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
  • The Microsoft SDL Pro Network provides expertise worldwide. The SDL Pro Network is a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL. The network was expanded recently to include seven new members.


If you stopped by the booth, you would have met quite a few folks roaming around that there were very happy to talk to you about the Microsoft SDL to include:

Microsoft employees. David Ladd, Bryan Sullivan, Katie Moussouris, Jeremy Dallman, Adam Shostack, Jed Pickel, and Georgeo Pulikkathara.

members of our SDL Pro Network who were present at RSA include:

Security Innovation. Maureen Robinson

Fortify. Russell Spitler

Cigital. Brian Mizelle

Codenomicon. Steve Hayes

Security University. Sondra Schneider

Consult2Comply.   Dave Teti

Safelight. Mike Maziarz

Casaba Security. Jason Glassberg



I also hope you got a chance to grab a copy of Elevation of Privilege (EoP), the threat modeling card game. we gave away over 3,000 card decks at RSA. You can learn more about Adam Shostack’s Elevation of Privilege (EoP) card game creation here at:

I have a few copies still left, and Monday I will mail them out to those who have requested them, and then we’re completely out until next year.


George, Microsoft Trustworthy Computing