Security Development Lifecycle for Line-of-Business Applications: Introduction

The Security Development Lifecycle for Line-of-Business applications (SDL-LOB) defines the standards and best practices for providing security and privacy for new and existing line-of-business (LOB) applications currently under development or being planned for development. The SDL-LOB provides a mainstream approach to the SDL that serves line-of-business applications with additional requirements and recommendations. LOB applications are a set of critical computer applications that are vital to running an enterprise, such as accounting, human resources (HR), payroll, supply chain management, and resource planning applications. This guidance is positioned exclusively for LOB applications or web applications and not for ISV/rich-client and server application development.

Note: The goal of this section is to supplement the main SDL document and allow you to tailor a process specific to your LOB applications while meeting SDL requirements. If you don’t see specific guidance for a particular task in the SDL-LOB, the guidance in the main SDL section is assumed to be in effect. To refer back to a specific phase within the main SDL, click the icon next to each phase heading throughout the SDL-LOB section.

To ensure minimal impact, the SDL-LOB overlays high-level security tasks against the standard SDL phases, as listed in the chevrons in Figure 3.

Figure 3. Standard SDL phases

The following table highlights LOB-specific tasks for each phase of the SDL. These tasks are in addition to those outlined in the main SDL portion of this document. Each task in the table is discussed by phase in the remainder of the LOB section. Note that the Response phase is not included in the table because there are no additional tasks required for that phase beyond what is discussed in the main SDL.

Training	Requirements	Design	Implementation	Verification	Release
LOB-specific training	Risk assessment Application portfolio Application risk assessment Determine service level	Asset-centric threat modeling Threat model Design review	Internal review Incorporate security checklists and standards Conduct “self” code review Security code analysis	Pre-production assessment Comprehensive security assessment Bug tracking	Post-production assessment Host level scan

It is important to note that organizations should adapt rather than adopt the Microsoft SDL-LOB process. Organizations are unique and should expect and plan for differences in resources, executive support, and security expertise

The SDL-LOB, in various incarnations, has been in use since 2001 to identify and reduce risk for over 2,400 separate Microsoft LOB applications/releases.

Resources

• Visit the Information Security page for information on the Microsoft Information Security group, which is responsible for security risk management for Microsoft LOB applications.

• Appendix V: Lessons Learned and General Policies for Developing LOB Applications

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported