Microsoft Services for the Security Development Lifecycle
Microsoft Services offers paid Security Development Lifecycle (SDL) consulting services to customers who would like to
have Microsoft directly engaged in their adoption of the SDL. Prices will vary according to the extent of Microsoft’s
Benefits of engaging with Microsoft Services include:
- Receiving training and guidance from consultants who offer comprehensive services and expertise gained from working
with Microsoft customers in nearly every country and every industry.
- Direct access to the Microsoft product groups that design the software being used to build customers' solutions.
- The cooperation of Microsoft Services and the
SDL Pro Network member companies that can help customers realize the full value of Microsoft technologies.
SDL Services for the Software Development Lifecycle
Microsoft Services will help identify and prioritize the appropriate SDL practices and tools to use during your organization’s
software development process. Services align with the Simplified Implementation of the SDL to make security and
privacy an integral part of software development.
Specific offerings fall in the following areas:
- Training, policy and organizational capabilities , including security and privacy training and advice on how to implement the practices and tools recommended by the SDL
- Requirements and design , including risk analysis, functional requirements, and threat modeling
- Implementation , including use of banned APIs, static code analysis, and code review
- Verification , including dynamic security testing and web application review
- Release and response , including attack surface and threat model reviews, final security
review, and response planning and execution
Security Development Lifecycle Training
Understanding security problems created during the software development lifecycle is a foundational part of building better
software. Microsoft offers services designed to support the software security training needs of individuals who
are directly involved with the development of software programs. These training services will target the following
security development lifecycle concepts:
- Security Requirements Practices, including establishing security requirements, creation of quality gates and
bug bars, and security and privacy risk assessment
- Security Design Practices, including threat modeling, attack surface analysis, and establishing security design
- Security Implementation Practices, including static analysis and use of specific implementation phase tools
- Security Verification Practices, including dynamic analysis and fuzz testing, and attack surface review
- Release and Response Practices, including incident response planning and final security reviews