|Title||Requirement/Recommendation||Applies to Online Services||Applies to Managed Code||Applies to Native Code|
|Avoid writable PE segments||Requirement||X||X|
|Create a baseline threat model||Requirement||X||X||X|
|Determine security response standards||Requirement||X||X||X|
|Do not use Visual Basic 6 to build products||Requirement||X||X||X|
|Establish a security response plan||Requirement||X||X||X|
|Identify primary security and privacy contacts||Requirement||X||X||X|
|Identify your team's privacy expert||Requirement||X||X||X|
|Identify your team's security expert||Requirement||X||X||X|
|Threat model your product, its attack surface, and its new features||Requirement||X||X||X|
|Use approved XML parsers||Requirement||X||X|
|Use latest compiler versions||Requirement||X||X||X|
|Use minimum code generation suite and libraries||Requirement||X||X|
|Configure bug tracking to track the cause and effect of security bugs||Recommendation||X||X||X|
|Designate full-time security program manager||Recommendation||X||X||X|
|Remove dependencies on NTLM authentication||Recommendation||X||X||X|
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.
This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.