Microsoft is busy building a Security Infrastructure (or Portal) and is building the Connected Information Security Framework (CISF), a project by Mark Curphey, from the OWASP project.

The goal for CISF is to combine all Security related information into a central location, with the focus on building blocks and customization. So CISF will become a Portal, with "Widgets" for presenting the various pieces of security information. Combine this with some analytics (BI), Workflow, tasks, risks assets, authorization and notifications. This is all being build on .NET 3.5 with WF, and there are even plans to incorporate "Geneva".

The first CTP delivers a subset of the planned features and starts with the Authorization and Application Portfolio Management (APM).

In here we can define our "Risk Impact Assessment", which is a list of questions combined with a scoring system for each answer. Every application will need to complete this assessment which will result in a score. For each range of scores we can assign tasks to be executed in the various software development stages (like design in the above picture). The whole process is monitored by task status fields.

The general framework used here is very nice, it's very easy (and even intended) to create/add custom questions, add users to the system, change properties, questions and score ranges.

Installation was pretty straightforward, first install the database (on a SQL 2008 instance) and then extract the website, and change the connection strings, just read the documentation included!

For more information on CISF and building widgets, read the following articles:

Creating a redistributable CISF Portal Widget
Create a Bing Widget for the CISF Security Portal
Understanding CISF Portal Widget Framework
An Introduction to the Connected Information Security Platform or CISF