Frequently asked questions

Expand All

About the Microsoft Security Development Lifecycle (SDL)  

  • The Microsoft SDL is a software development security assurance process created by and used at Microsoft. Combining a holistic and practical approach, the SDL introduces security and privacy throughout all phases of the development process.
    • To understand how Microsoft has improved the security of our products and demonstrate our commitment to Trustworthy Computing, we have released the Microsoft SDL as used at Microsoft in the Microsoft SDL Process guidance .
    • To assist development organizations wishing to adopt the best practices demonstrated by the Microsoft SDL, we have released the Simplified Implementation of the Microsoft SDL whitepaper which provides actionable guidance on the sixteen security practices used to support secure development.
  • As a company-wide initiative and a mandatory policy at Microsoft since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft’s software and culture. The SDL has proven to be effective at reducing vulnerability counts of flagship Microsoft products after release. Windows Vista and SQL Server 2005 are examples of flagship products whose security has been significantly improved:
    • 45% reduction of disclosed vulnerabilities for Windows Vista (66) vs. XP (119) in the first year after release.
    • 91% reduction of disclosed vulnerabilities for SQL Server 2005 (3) vs. 2000 (34) in the three years after release.
    Learn more about these product comparisons.
  • Microsoft is committed to protecting customers and enabling a more trusted computing experience. One of the ways to reach this goal is by sharing security and privacy expertise, guidance, technology, and processes.  

    Some of our publicly available SDL process documentation is available to the development community under the Attribution, Non-Commercial, Share Alike (cc by-nc-sa) terms of the Creative Commons license – which allows organizations to copy, distribute and transmit the documentation to others. This allows organizations to incorporate content from the SDL documents released under Creative Commons into their internal process documentation.

About the Simplified Implementation of the Microsoft SDL
  • Computer crime poses a significant threat to every organization, large or small. By adopting the SDL, development organizations will:
    • Reduce risk and improve trust by making software inherently more secure and protecting sensitive information. Read the MidAmerican SDL Chronicles for an insight on how the SDL improved the software security of MidAmerican Energy by reducing the number of high-level threats from 14,000 to less than 100 within 273 days.
    • Reduce the total cost of development and generate a positive ROI by finding and eliminating vulnerabilities early in the development process:
      • Analyst reports (Forrester Consulting's State of Application Security and Aberdeen Group's Security and the Software Development Lifecycle: Secure at the Source) have demonstrated that adopting prescriptive and holistic secure software development processes like the Microsoft SDL generates a positive Return on Investment. More specifically, Aberdeen Group's independent report estimated that organizations implementing structured programs for security development realized a very strong 4.0-times return on their annual investments in applications security.
      • According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design phase of the software development process can cost thirty (30) times less than fixing them post release.
    • Improve the efficiency of compliance activities. By aligning governance, risk, or compliance activities with SDL security practices, organizations may improve the efficiency of their compliance activities and further improve the ROI of their application security investments. For more information read the SDL and HIPAA Security Rule whitepaper as well as the SDL and PCI DSS/PA-DSS Compliance Activity whitepaper
  • Yes. The SDL is composed of proven security practices that work in development organizations regardless of their size or platform.
  • The core concepts and individual security activities of the Microsoft SDL that should be performed by development organizations are described in the Simplified Implementation of the Microsoft SDL white paper:
    • Core Security Training
    • Establish Security Requirements
    • Create Quality Gates/Bug Bars
    • Perform Security and Privacy Assessments
    • Establish Design Requirements
    • Perform Attack Surface Analysis/Reduction
    • Use Threat Modeling
    • Use Approved Tools
    • Deprecate Unsafe Functions
    • Perform Static Analysis
    • Perform Dynamic Analysis
    • Perform Fuzz Testing
    • Conduct Attack Surface Review
    • Create an Incident Response Plan
    • Conduct Final Security Review
    • Certify Release and Archive
  • Microsoft makes SDL training resources, Templates for SDL Practices and SDL Tools available to help perform the security activities of the Microsoft SDL process. If you have any questions related to the SDL Process or SDL Tools, visit the SDL Forum.
    Microsoft Services and the SDL Pro Network offer training, consulting, and tools services designed to help organizations adopt the SDL process and make security and privacy an integral part of their software development. 

    Specific offerings include the following areas:

    • Training, policy and organizational capabilities, including security and privacy training and advice on how to implement the practices and tools recommended by the SDL.
    • Requirements and design, including risk analysis, functional requirements, and threat modeling.
    • Implementation, including use of banned APIs, static code analysis, and code review.
    • Verification, including dynamic security testing and web application review.
    • Release and response, including attack surface and threat model reviews, final security review, and response planning and execution.
    • Security tools, such as static analysis tools for the Implementation Phase and dynamic and binary analysis tools for the Verification Phase.
About the Microsoft SDL Process Guidance