Microsoft Security Development Lifecycle (SDL)
Fall 2008: New SDL Programs
As part of its committment to make the SDL available to every developer, Microsoft is delivering three new programs and tools this fall – the SDL Pro Network, the SDL Optimization Model, and the Microsoft SDL Threat Modeling Tool 3.0. Read More....
The Microsoft Security Development Lifecycle (SDL) is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy into Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. It has led Microsoft to measurable and widely recognized security improvements in flagship products such as Windows Vista and SQL Server. As part of its commitment to supporting a more secure and trustworthy computing ecosystem, Microsoft is making SDL process guidance, tools and training available for every developer. “Microsoft’s Trustworthy Computing initiative is perhaps the most advanced and comprehensive application security program in the industry.”
“Managing Application Security From Beginning To End,” Forrester Research, Inc., August 2007 For more information on SDL phases, see The Microsoft Security Development Lifecycle (SDL): Process Guidance. At Microsoft, the SDL is more than just a mandatory internal policy—it represents a major cultural evolution at Microsoft with regards to software security and privacy. A “security process by a software company,” the SDL was designed as an integral part of the development process. It is based on a risk-based, practical approach with the goal of protecting end-users by reducing the number and severity of vulnerabilities in code. In addition to enabling development teams to create more secure applications, the SDL reduces the “Total Cost of Development” by finding and eliminating vulnerabilities early. According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release. By exploring the links on this page, you can learn more about the Microsoft SDL—how it all started, how it works, its measurable improvements in the security of Microsoft’s products, and how your organization can benefit from it. In addition to the in-depth process information, you can find a repository of SDL-related tools and resources. Visit the SDL Blog to get the most up-to-date ideas and thoughts from the SDL team members at Microsoft Visit Michael Howard’s Blog to read all about security in software development from the author of the popular book, Writing Secure Code (Howard, Michael and David LeBlanc, Microsoft Press, Redmond, Washington, 2003). History of the Microsoft SDLThe concepts that make up the Microsoft SDL were formed with the Trustworthy Computing (TwC) directive of January 2002. At that time, many software development groups at Microsoft instigated “security pushes” to find ways to improve the security of existing code. Since then, SDL has matured into a well defined methodology. The development, implementation and constant improvement of the SDL represents a strategic investment for Microsoft, and an evolution in the way that software is designed, developed, and tested. The increasing importance of software to society emphasizes the need for Microsoft and the industry as a whole to continue to improve software security. To find out more about the history of Microsoft and the SDL, read the Trustworthy Computing Security Development Lifecycle white paper. SDL Training and ResourcesCheck out the resources now available that can help you develop the skills you need to create more secure software. Find PowerPoint presentations, books, videos, and more here. |