When sensitive data is processed through applications, the security risks to the data are mitigated by the practice of incorporating an end-to-end security strategy in the architecture, design, development, and deployment of the application. Based on international crime statistics and studies conducted by Microsoft and others, the majority of cybercrimes and their resulting losses originate with exploited software vulnerabilities. For the vast majority of those vulnerabilities, a fix was known and available.
Governments and agencies must improve their application security postures by subscribing to a holistic, prescriptive application security methodology. Organizations that do not integrate security and privacy into their development practices from the earliest stages will find addressing it later to be more expensive and potentially ineffective in protecting critical infrastructure and data.
The Microsoft Security Development Lifecycle, with its supporting guidance, training, and tools, enables customers to establish priorities based on the security maturity level of the development team, assess where their organization falls on the maturity continuum, and help them determine security priorities structured around five capability areas and four maturity levels.
Microsoft Services and the SDL Pro Network offer training, consulting, and tools services designed to help organizations adopt the SDL process and make security and privacy an integral part of their software development process, working together to realize the full value of Microsoft technologies.
Specific offerings fall into the following areas:
Training, policy and organizational capabilities, including security and privacy training and advice on how to implement the practices and tools recommended by the SDL
Requirements and design, including risk analysis, functional requirements, and threat modeling
Implementation, including use of banned APIs, static code analysis, and code review
Verification, including dynamic security testing and web application review
Release and response, including attack surface and threat model reviews, final security review, and response planning and execution
Security tools, such as static analysis tools for the Implementation Phase and dynamic and binary analysis tools for the Verification Phase