The purpose of this paper is to illustrate the core concepts of the Microsoft Security Development Lifecycle (SDL) and to discuss the individual security activities that should be performed in order to claim compliance with the SDL process.
This paper presents:
- A brief overview of the Microsoft SDL.
- An overview of the Microsoft SDL Optimization Model with particular attention to where the Microsoft SDL fits within the Optimization Model.
- A discussion of individual Microsoft security development practices, including:
- Roles and responsibilities for individuals involved in the application development process.
- Mandatory security activities.
- Optional security activities.
- The application security verification process.
The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals.
It is important to note that this document focuses solely on software development security methodologies used for building software applications and online services for external or internal release. There are other methodologies within an organization (such as IT security practices) that focus on “operational” security threats; while the groups that administer these processes may be bound by technology and regulatory contexts similar to those that bind software development groups, they generally do not create application software intended for use in environments where there is meaningful security risk.
Wherever possible, references to public sources of information are provided. Web links to specific discussions of processes, tools, and other ancillary information are included throughout this document.
About the Microsoft Security Development Lifecycle
The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a company-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
The Microsoft SDL is based on three core concepts—education, continuous process improvement, and accountability. The ongoing education and training of technical job roles within a software development group is critical. The appropriate investment in knowledge transfer helps organizations to react appropriately to changes in technology and the threat landscape. Because security risk is not static, the SDL places heavy emphasis on understanding the cause and effect of security vulnerabilities and requires regular evaluation of SDL processes and introduction of changes in response to new technology advancements or new threats. Data is collected to assess training effectiveness, in-process metrics are used to confirm process compliance and post-release metrics help guide future changes. Finally, the SDL requires the archival of all data necessary to service an application in a crisis. When paired with detailed security response and communication plans, an organization can provide concise and cogent guidance to all affected parties.
Download the entire document here.
- Security in the .Net Framework
- SDL Threat Modeling Tool v3.1.8
- Regular Expression file fuzzing tool
- Microsoft Security Development Lifecycle Tools