Since 2004, the Microsoft Security Development Lifecycle (SDL) is a mandatory software development policy for all products with meaningful business risk and/or access to sensitive data. The ultimate test of the Microsoft Security Development Lifecycle (SDL) is the extent to which it can reduce the number and severity of vulnerabilities in software. In order to measure the extent to which these goals are met, security experts analyzed public vulnerability counts in “pre-SDL” and “post-SDL” versions of the same product. The examples below demonstrate the effectiveness of the Microsoft SDL in improving the security of Microsoft products that were developed with it. These improvements are a key part of Microsoft’s commitment to protect its customers. Moreover, these improvements reduce the total cost of ownership (TCO) for Microsoft products, with fewer patch events required for these products.
Microsoft Windows: Vista and XP
Microsoft Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marked the first anniversary for supported production use of the operating system (OS). Windows Vista was the first OS to benefit from the SDL, and the illustration below indicates security improvements derived from the SDL when compared to Windows XP, which did not undergo the process (Microsoft SDL was used for Windows XP SP2). After the first year, Windows Vista had 45% fewer vulnerabilities than Windows XP. In a comparison of security vulnerabilities, Windows Vista also fares better than competing operating systems.
Microsoft SQL Server: SQL Server 2005 and 2000
SQL Server serves as an excellent example for security improvements resulting from incorporating the SDL. Since 2004, Microsoft has issued only three security bulletins for the SQL Server 2005 database engine. Again, this is a testament to the extent to which security and SDL have become inseparable from the development culture at Microsoft.
Microsoft Internet Explorer: IE7 and IE6
The two graphics above show how the vulnerability counts decreased on products developed with the SDL. As a result, the number of vulnerabilities to be fixed after release decreases too which reduces the total cost of development. IE7 serves as a good example for this: IE7 was the first version of the Microsoft Web browser to be fully developed with the SDL. Compared to IE6, IE7 featured a 35% decrease in total vulnerabilities and a 63% decrease in high severity vulnerabilities which were fixed one year after release.