Appendix R: SDL-Agile One-Time Requirements

TitleRequirement/RecommendationApplies to Online ServicesApplies to Managed CodeApplies to Native Code
Avoid writable PE segmentsRequirementXX
Create a baseline threat modelRequirementXXX
Determine security response standardsRequirementXXX
Do not use Visual Basic 6 to build productsRequirementXXX
Establish a security response planRequirementXXX
Identify primary security and privacy contactsRequirementXXX
Identify your team's privacy expertRequirementXXX
Identify your team's security expertRequirementXXX
Threat model your product, its attack surface, and its new featuresRequirementXXX
Use approved XML parsersRequirementXX
Use latest compiler versionsRequirementXXX
Use minimum code generation suite and librariesRequirementXX
Configure bug tracking to track the cause and effect of security bugsRecommendationXXX
Designate full-time security program managerRecommendationXXX
Remove dependencies on NTLM authenticationRecommendationXXX

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported