"I love the threat modeling tool," said Mike Gualtieri, senior analyst at Forrester Research. "I wish I had it when I was a developer. In addition to helping developers do threat modeling, it also educates developers on security issues as they use the tool."

Microsoft's optimization model features free guidance available for Web download in November. "The optimization model is for helping organizations self-assess their maturity or their effectiveness at secure development," Lipner said.

Featured is an assessment for organizations to look at their security practices and see how they compare to SDL. Users can characterize security practices at four different levels of security: basic, in which the customer risk is undefined; standardized, which offers proactive security; advanced, in which security is integrated; and dynamic, offering specialized security and minimized customer risk.

SDL Pro Network features a network of service providers and consulting and training for implementing SDL. Users can go to companies such as Leviathan Security for assistance with SDL.

"The network of trained partners who will help educate the field on the SDL Optimization Model and the SDL threat modeling tool will help promulgate the technology and usage of security principles, making e-commerce safer for all of us," said analyst Roger Kay, president of Endpoint Technologies Associates.

Microsoft believes that offering security technologies for free with SDL can result in more secure software, which in turn makes Windows more secure. Microsoft began its focus on security after Internet worm attacks in 2001, Lipner said. While Microsoft has seen its share of vulnerabilities drop because of SDL, intruders have instead been attacking others' software, said Lipner.

Paul Krill is an editor at large at InfoWorld, specializing in news and features related to application development, Java, and .Net. He can be reached at paul_krill@infoworld.com.