The Security Development Lifecycle (or SDL) is a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation and the conduct of code reviews and security testing during a focused "security push." The SDL involves modifying a software development organization's processes by integrating measures that lead to improved software security: the intention of these modifications is not to totally overhaul the process, but rather to add well-defined security checkpoints and security deliverables. Figure 1 depicts the seven phases that define the SDL process.
Figure 1: the seven phases of the Security Development Lifecycle Process.
This step is a prerequisite for implementaing the SDL: individuals in technical roles (developers, testers, and program managers) who are directly involved with the development of software programs must attend at least one unique security training class each year. By allowing individuals involved with the development of software programs to stay informed about security basics and latest trends in security and privacy, their commitment to writing more secure software will be increased. Basic core security training should cover foundational concepts such as:
The Requirements phase of the SDL includes the project inception (when you consider security and privacy at a foundational level) and a cost analysis (when you determine if development and support costs for improving security and privacy are consistent with business needs). This phase includes the following practices
The Design phase is when you build the plan for how you will take your project through the rest of the SDL process: from implementation, to verification, to release. During the Design phase you establish best practices to follow for this phase by way of functional and design specifications and you perform risk analysis to identify threats and vulnerabilities in your software. This phase includes the following practices
The Implementation phase is when the end user of your software is foremost in your mind. During this phase you create the documentation and tools the customer uses to make informed decisions about how to deploy your software securely. To this end, the Implementation phase is when you establish development best practices to detect and remove security and privacy issues early in the development cycle. This phase includes the following practices
During the Verification phase, you ensure that your code meets the security and privacy tenets you established in the previous phases. This is done through security and privacy testing, and a security push, which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. A public release privacy review is also completed during the Verification phase. This phase includes the following practices
The Release phase is when you ready your software for public consumption and, perhaps more importantly, you ready yourself and your team for what happens once your software is in the hands of the user. One of the core concepts in the Release phase is planning (mapping out a plan of action, should any security or privacy vulnerabilities be discovered in your release) and this carries over to post-release, as well, in terms of response execution. To this end, a Final Security Review and privacy review is required prior to release. This phase includes the following practices
After a software program is released, the product development team must be available to respond to any possible security vulnerabilities or privacy issues that warrant a response. In addition, develop a response plan that includes preparations for potential post-release issues. This phase includes the following practice
NOTE: these links are external to TechNet Wiki.
Luigi Bruno edited Original. Comment: Added the "Community Resources" section.
Luigi Bruno edited Revision 1. Comment: Added the "See Also" section.
Luigi Bruno edited Revision 2. Comment: Edited the "Introduction" section.
Luigi Bruno edited Revision 3. Comment: Added the "Social Media" list in the "See Also" section.
Luigi Bruno edited Revision 4. Comment: Added a link in the "Books" list.
Luigi Bruno edited Revision 5. Comment: Added the list "MSDN Pages" in the "Community Resources" section.
Luigi Bruno edited Revision 6. Comment: Added Figure 1. Added the "Step 1: Core Security Training" section.
Luigi Bruno edited Revision 7. Comment: Edited the "Phase 1: Core Security Training" section. Added the "Phase 2: Requirements" and the "Phase 3: Design" sections.
Luigi Bruno edited Revision 8. Comment: Added the "Phase 4: Implementation" and the "Phase 5: Verification" sections.
Luigi Bruno edited Revision 9. Comment: Added the "Papers" list in the "Community Resources" section.
Luigi Bruno edited Revision 10. Comment: Added the "Phase 6: Release" and the "Phase 7: Response" sections.
Luigi Bruno edited Revision 11. Comment: Edited the "Phase 2: Requirements" and the "Phase 3: Design" sections.
Luigi Bruno edited Revision 12. Comment: Edited the "Phase 4: Implementation" and the "Phase 5: Verification" sections.
Luigi Bruno edited Revision 13. Comment: Edited the "Phase 6: Release" section.
Luigi Bruno edited Revision 14. Comment: Edited the "Phase 7: Response" section.