My friend Kevin Hegg mentioned this link to me on Friday, but it wasn't live yet. But, it is now: Michael Howard mentions it's "live" status at http://msdn.microsoft.com/security/sdl which forwards you to this link for the above document.
This looks to be a great start on some guidelines for creating secure software. Some key takeaways:
There are three facets to building more secure software: repeatable process, engineer education, and metrics and accountability. This document focuses on the repeatable process aspect of the SDL, although it does discuss engineer education and provide some overall metrics that show the impact to date of application of a subset of the SDL.
If Microsoft's experience is a guide, adoption of the SDL by other organizations should not add unreasonable costs to software development. In Microsoft's experience, the benefits of providing more secure software (e.g., fewer patches, more satisfied customers) outweigh the costs.
The SDL involves modifying a software development organization's processes by integrating measures that lead to improved software security. This document summarizes those measures and describes the way that they are integrated into a typical software development lifecycle. The intention of these modifications is not to totally overhaul the process, but rather to add well-defined security checkpoints and security deliverables.
Take a look, and happy reading!
