The template checks that code complies with SDL practices before allowing it to be checked into a Visual Studio Team System repository, and creates appropriate security workflow tracking items for manual processes such as treat modelling.
For example, the template generates different workflow items depending on whether the developer checks in C++ or .NET code. And when a developer creates a new sprint, new work items are created.
It also helps integration with other tools including Microsoft's SDL Threat Modeling Tool, the Binscope binary analyser and the MiniFuzz file fuzzer, simplifying the task of recording which tools are uncovering the most bugs.
Another feature of the template is the provision of a 'scope' field that makes it easier for the developer to describe the importance of the issue. It is used in conjunction with the 'bug bar rating' to help determine which issues must be fixed before release, explained Bryan Sullivan, senior security program manager at Microsoft.
Microsoft offers a separate template for organisations using CMMI rather than Agile.
Stephen Withers travelled to Seattle as a guest of Microsoft.