Microsoft Security Development Lifecycle (SDL) – Process Guidance

Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004,the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach,the SDL introduces security and privacy early and throughout all phases of the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. Microsoft is publishing the detailed SDL process guidance as part of its commitment to enable a more secure and trustworthy computing ecosystem.

The following documentation provides an in-depth description of the Microsoft SDL methodology and requirements. Proprietary technologies and resources that are only available internally at Microsoft have been omitted from these guidelines.

SDL Process

SDL Process for Line-of-Business Applications

SDL Process – Appendix

Content Disclaimer

The following documentation on the Microsoft Security Development Lifecycle, version 4.1 is for illustrative purposes only.

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented herein. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, OR STATEMENTS ABOUT APPLICABILITY OR FITNESS OF PURPOSE FOR ANY ORGANIZATION ABOUT THE INFORMATION IN THIS DOCUMENT.