Offer 2: Security Development Lifecycle & Web Application Security

Getting started with the Microsoft Security Development Lifecycle (SDL)

Adopting the SDL may be an evolution of an existing development security journey or it may be the beginning of a new journey for securing development practices.

Implementing the 10 security practices of SDL is a journey of continuous improvement so the most important thing to do is to get started somewhere and keep improving as you go.

This continuous journey encompasses changes to culture, strategy, processes, and technical controls as you integrate security knowledge and practices into DevOps processes.

Culture and Strategy

Successful workloads must do what they are supposed to do, be reliable and available when needed, and must not allow unauthorized people to abuse them or the data they use.

Security teams must partner with development and operations teams who must collectively value all of the se outcomes and work collaboratively to jointly provide them.

Security Practices and Controls

Implementing technical controls is where security becomes real and attackers get blocked, detected, and remediated.

The 10 practices should be applied across all development activities and prioritized to rapidly reduce business risk while having the least impact on business operations.

Agile security for workloads in DevSecOps.

Processes

Processes integrate culture and technical controls into people’s daily work to make it real and sustain outcomes over time. DevSecOps processes must be:

Comprehensive – apply security across the full lifecycle of development
Continuously applied and improved – to improve workload security, people’s knowledge and skills, and the process of development itself
Pragmatic – blending the best of ‘waterfall’ development and iterative continuous improvement, including definition of a complete minimum viable product (MVP) meeting the most important requirements for development, operations, and security goals.

As you get started on your SDL journey, keep in mind that:

Integration is critical - Security practices and tools should be seamlessly integrated into your existing development goals, metrics, processes, and tooling.
Shift Left – Focus on catching security issues early in the process while it is cheap and easy to do so (during design, during coding sessions, etc.) rather than late in the process where changes are difficult and expensive.
Continuous incremental improvement – because there is no wrong place with security and the job will never be ‘done’, you should focus on establishing a north star of the ideal end state, getting started somewhere, continuously making incremental progress, and continuously prioritizing based on what you learn along the way (about attackers, your processes, business priorities, and more).
Accelerate using Microsoft learnings and resources - Microsoft published guidance based on our learnings and practices to help you with building a strategy, culture, and technical controls for implementing a continuous SDL approach to DevSecOps.

Resources to get started with the SDL

Establish Culture, Strategy, and Processes

Integrate security, development, and operations
experts in a continuously improving process

Innovation security (CAF Secure)
Define Security Practices and Controls

Define clear standards to protect against threats while
enabling productivity and agility

DevSecOps controls
Self-assess

Assess your current workloads with the

well architected security assessment

Well Architected Review

Explore the Microsoft SDL practices