NEW ! Microsoft releases the Microsoft SDL Process Template for Visual Studio Team System
The SDL Process Template for VSTS makes secure code writing a lot easier by integrating the SDL v4.1 automatically into your software development environment. Learn more about the template and download it.
The Microsoft Security Development Lifecycle (SDL) is the industry-leading software security assurance process
A Microsoft-wide initiative and a mandatory policy since 2004, the SDL introduces security and privacy early and throughout the development process. Combining a holistic and practical approach, the SDL is risk-based with the goal of protecting end-users by reducing the number and severity of vulnerabilities in code.
The Microsoft Security Development Lifecycle
.jpg)
For more information on the SDL Process, read the SDL Process Guidance.
“Microsoft’s Trustworthy Computing initiative is perhaps the most advanced and comprehensive application security program in the industry.”
Managing Application Security From Beginning To End Forrester Research, Inc., August 2007
Benefits of the Microsoft SDL
- Reducing the number of software vulnerabilities
The SDL has played a critical role in embedding security and privacy into Microsoft software and culture, leading to measurable and widely recognized security improvements in flagship products such as Windows Vista and SQL Server.
- Reducing the total cost of development
The SDL reduces the “total cost of development” by finding and eliminating vulnerabilities early. According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release.
History of the Microsoft SDL
The concepts that make up the Microsoft SDL were formed with the Trustworthy Computing (TwC) directive of January 2002. At that time, many software development groups at Microsoft instigated “security pushes” to find ways to improve the security of existing code.
Becoming a mandatory policy in 2004, the SDL represents a major cultural evolution at Microsoft with regards to software security and privacy and has matured into a well defined methodology. A “security process by a software company,” the SDL was designed as an integral part of the development process. The development, implementation and constant improvement of the SDL represents a strategic investment for Microsoft, and an evolution in the way that software is designed, developed, and tested.
The increasing importance of software to society emphasizes the need for Microsoft and the industry as a whole to continue to improve software security. To that end, Microsoft committed in 2005 to supporting a more secure and trustworthy computing ecosystem and makes SDL process guidance, tools and training available for every developer.
To find out more about the history of Microsoft and the SDL, read the Trustworthy Computing Security Development Lifecycle white paper.
And also hear stories from people at Microsoft about the real-life conflicts that led to creation of the SDL, plus the challenges and successes in implementing it at Microsoft.
Explore the Microsoft SDL Website and get to know why you should leverage the same process in your organization
By exploring this website, you can learn more about the Microsoft SDL—how it all started, how it works, its measurable improvements in the security of Microsoft’s products, its available tools and resources and how your organization can benefit from it.
Visit the SDL Blog to get the most up-to-date ideas and thoughts from the SDL team members at Microsoft.
Visit Michael Howard’s Blog to read all about security in software development from the author of the popular book, Writing Secure Code (Howard, Michael and David LeBlanc, Microsoft Press, Redmond, Washington, 2003).
And read our FAQ to get more information about the SDL.