The Microsoft Security Development Lifecycle (SDL)

New content!
SDL 4.1a Process Guidance: The Microsoft Security Development Lifecycle (SDL) 4.1a now provides guidance on how to build more secure applications for Agile Development. Embrace lightweight software security practices with the SDL for Agile Development, a streamlined approach that melds Agile methods and security.

Whitepaper: Security Considerations for Client and Cloud applications
The increasing importance of "client and cloud" computing raises a number of important concerns about security. Understand how Microsoft addresses potential security vulnerabilities during the development of “client and cloud” applications using the SDL.

New tools!
Microsoft SDL team releases two security verification tools as FREE DOWNLOADS – BinScope Binary Analyzer integrates directly into the Visual Studio 2008 IDE. MiniFuzz File Fuzzer is a Visual Studio 2008 add-in. Both tools provide easy integration with TFS 2008 and the SDL Process Template for VSTS 2008!

SDL is the industry-leading software security assurance process

A Microsoft-wide initiative and a mandatory policy since 2004, the SDL introduces security and privacy early and throughout the development process. Combining a holistic and practical approach, the SDL is risk-based with the goal of protecting end-users by reducing the number and severity of vulnerabilities in code.

For more information on the SDL Process, read the SDL Process Guidance.

“Microsoft’s Trustworthy Computing initiative is perhaps the most advanced and comprehensive application security program in the industry.”
Managing Application Security From Beginning To End Forrester Research, Inc., August 2007

Benefits of the Microsoft SDL

• Reducing the number of software vulnerabilities

  The SDL has played a critical role in embedding security and privacy into Microsoft software and culture, leading to measurable and widely recognized security improvements in flagship products such as Windows Vista and SQL Server.

• Reducing the total cost of development

  The SDL reduces the “total cost of development” by finding and eliminating vulnerabilities early. According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release.

History of the Microsoft SDL

The concepts that make up the Microsoft SDL were formed with the Trustworthy Computing (TwC) directive of January 2002. At that time, many software development groups at Microsoft instigated “security pushes” to find ways to improve the security of existing code.

Becoming a mandatory policy in 2004, the SDL represents a major cultural evolution at Microsoft with regards to software security and privacy and has matured into a well defined methodology. A “security process by a software company,” the SDL was designed as an integral part of the development process. The development, implementation and constant improvement of the SDL represents a strategic investment for Microsoft, and an evolution in the way that software is designed, developed, and tested.

The increasing importance of software to society emphasizes the need for Microsoft and the industry as a whole to continue to improve software security. To that end, Microsoft committed in 2005 to supporting a more secure and trustworthy computing ecosystem and makes SDL process guidance, tools and training available for every developer.

To find out more about the history of Microsoft and the SDL, read the Trustworthy Computing Security Development Lifecycle white paper.

And also hear stories from people at Microsoft about the real-life conflicts that led to creation of the SDL, plus the challenges and successes in implementing it at Microsoft.

Why you should leverage the same process in your organization

By exploring this website, you can learn more about the Microsoft SDL—how it all started, how it works, its measurable improvements in the security of Microsoft’s products, its available tools and resources and how your organization can benefit from it.

Visit the SDL Blog to get the most up-to-date ideas and thoughts from the SDL team members at Microsoft.

Visit Michael Howard’s Blog to read all about security in software development from the author of the popular book, Writing Secure Code (Howard, Michael and David LeBlanc, Microsoft Press, Redmond, Washington, 2003).

And read our FAQ to get more information about the SDL.