SDL for Agile
Agile Development Using Microsoft Security Development Lifecycle
Microsoft has developed the SDL for Agile process to integrate critical security practices into the Agile methodology. The SDL for Agile Development guidance reorganizes security practices into three categories: Every-Sprint practices, Bucket practices, and One-Time practices
Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.
Training
  1. Core Security Training
Requirements
  1. Establish Security Requirements
  1. Create Quality Gates/Bug Bars
  1. Perform Security and Privacy Risk Assessments
Design
  1. Establish Design Requirements
  1. Perform Attack Surface Analysis/ Reduction
  1. Use Threat Modelling
Implementation
  1. Use Approved Tools
  1. Deprecate Unsafe Functions
  1. Perform Static Analysis
Verification
  1. Perform Dynamic Analysis
  1. Perform Fuzz Testing
  1. Conduct Attack Surface Review
Release
  1. Create an Incident Response Plan
  1. Conduct Final Security Review
  1. Certify Release and Archive
Response
  1. Execute Incident Response Plan

SDL Practice #3: Create Quality Gates/Bug Bars

Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project.

Setting a meaningful bug bar involves clearly defining the severity thresholds of security vulnerabilities (for example, no known vulnerabilities in the application with a “critical” or “important” rating at time of release) and never relaxing it once it's been set.

When should this practice be implemented?

Traditional Software development: Requirements Phase
Agile development: One Time