The Microsoft Security Development Lifecycle: Publications and Resources

SDL Process Guidance

• Detailed information on all stages and requirements of the Microsoft SDL:
• Available on MSDN – Microsoft SDL version 4.1a – Process Guidance
• Available on the Download Center:
  Microsoft SDL Version 4.1a Process Guidance (.docx) – includes SDL for Agile Development
  Microsoft SDL Version 4.1 Process Guidance (.doc)
  Microsoft SDL Version 3.2 Process Guidance (.doc)

Applying the Microsoft SDL

• How to Manually Integrate the SDL Process Template into an existing Visual Studio project
• Security Considerations for Client and Cloud Applications
• Microsoft Silverlight 1.0: An SDL Implementation Story 

Other SDL Resources

• Michael Howard discusses the SDL development practices, TechEd Barcelona, Nov. 2007 – Presentation and Video
• Michael Howard's "Everything Developer Security" talk, TechEd Barcelona, Nov. 2007 – Presentation  and Video
• Security practitioners and experts discuss "A Proactive Approach to Building a Successful Security Development Lifecycle (SDL) Program", Nov. 2008 – Presentation and Video
  SDL ROI whitepaper
• Quiz "Test Your Security IQ", Nov. 2008 – Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets devised by Michael Howard and Bryan Sullivan.
• SDL Series: a set of 7 articles investigating the Microsoft Security Development Lifecycle
  • Article #1: Investigating the Security Development Lifecycle at Microsoft
  • Article #2: Security Education at Microsoft
  • Article #3: The Microsoft Security Org Chart
  • Article #4: Threat Modeling at Microsoft
  • Article #5: Microsoft’s Security Toolbox
  • Article #6: Microsoft’s Security Response
  • Article #7: Evolution of the Microsoft Security Development Lifecycle
• The Security Development Lifecycle Blog pulls together comments and insights from the Security Engineering team at Microsoft.
• Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, Redmond, Washington, 2006
• Michael Howard and David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press, Redmond, Washington, 2003

Threat Modeling

Getting started with threat modeling

• Uncover Security Design Flaws Using the STRIDE Approach, Nov. 2006 – Learn how the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privileges) model helps uncover and mitigate security design vulnerabilities.
• Michael Howard discusses threat modeling, TechEd Barcelona, Nov. 2007 – Presentation and Video
• Michael Howard and Adam Shostack walk you through the SDL Threat Modeling Tool, Nov. 2008 – Video
• Getting Started with the SDL Threat Modeling Tool, Jan. 2009 – Follow Deb (a developer), Paul (a program manager), and Tim (a tester) through the process of developing their first threat model.

Diving deeper into threat modeling

• Reinvigorate Your Threat Modeling Process, Jul. 2008 – Learn from Microsoft’s lessons learned and apply them to your organization.
• Threat Models Improve Your Security Process, Nov. 2008 – Learn how to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks.
• The Trouble with Threat Modeling, a series from the SDL Blog
• Experiences Threat Modeling at Microsoft from the Security Modeling Workshop at MODELS 08 SDL
• All threat modeling posts from the SDL Blog
• Threat Modeling for Line Of Business (LOB) Applications – the Microsoft ACE approach

Secure Application Development

• Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC, Oct. 2009
• Securing Applications with the .NET Framework
  The common language runtime and the .NET Framework provide many useful classes and services that enable developers to easily write security code. These classes and services also enable system administrators to customize the access that code has to protected resources. In addition, the runtime and the .NET Framework provide useful classes and services that facilitate the use of cryptography and role-based security.
• Patterns & Practices – Security Guidance for Application Development
• Software Security with Static Code Analysis Using CAT.NET (Level 200), Feb. 2009 – Presentation and Video

  In this webcast, Andreas Fuchsberger, Senior Software Design Engineer at Microsoft Corporation provides an overview of what static code analysis is and typical coding errors that static analysis can and cannot detect. He also looks at the recently released CAT.NET tool and how it helps with the detection of security vulnerabilities.

SDL for Online Services and Agile

• SDL embraces Web, Sept. 2008 – Get detailed information on the new online service SDL requirements.
• Bryan Sullivan discusses "More Secure Online Services Powered by the Microsoft Security Development Lifecycle", Oct. 2008 – Presentation and Video
• Agile SDL: Streamline Security Process for Agile Development, Nov. 2008 – Get to know the new SDL/Agile methodology
• Bryan Sullivan presents "Ajax Applications: A Blueprint for Disaster", Mar. 2009 – Presentation and Video

  How secure is your average Ajax application? A sample Ajax application will be built using design patterns, advice, and code samples from respected resources in the Ajax community; then the glaring security vulnerabilities will be exposed.

Microsoft Privacy Guidelines

Privacy guidelines for developing software products and services that are based on Microsoft internal guidelines and experience incorporating privacy into the software development process.