• Microsoft Services for the Security Development Lifecycle

  • Microsoft Services offers paid Security Development Lifecycle (SDL) consulting services to customers who would like to have Microsoft directly engaged in their adoption of the SDL. Prices will vary according to the extent of Microsoft’s consulting involvement.
  • Benefits of engaging with Microsoft Services include:
    • Receiving training and guidance from consultants who offer comprehensive services and expertise gained from working with Microsoft customers in nearly every country and every industry.
    • Direct access to the Microsoft product groups that design the software being used to build customers' solutions.
    • The cooperation of Microsoft Services and the SDL Pro Network member companies that can help customers realize the full value of Microsoft technologies.
  • SDL Services for the Software Development Lifecycle
  • Microsoft Services will help identify and prioritize the appropriate SDL practices and tools to use during your organization’s software development process. Services align with the Simplified Implementation of the SDL to make security and privacy an integral part of software development.
  • Specific offerings fall in the following areas:
    • Training, policy and organizational capabilities, including security and privacy training and advice on how to implement the practices and tools recommended by the SDL
    • Requirements and design, including risk analysis, functional requirements, and threat modeling
    • Implementation, including use of banned APIs, static code analysis, and code review
    • Verification, including dynamic security testing and web application review
    • Release and response, including attack surface and threat model reviews, final security review, and response planning and execution
  • Security Development Lifecycle Training
  • Understanding security problems created during the software development lifecycle is a foundational part of building better software. Microsoft offers services designed to support the software security training needs of individuals who are directly involved with the development of software programs. These training services will target the following security development lifecycle concepts:
    • Security Requirements Practices, including establishing security requirements, creation of quality gates and bug bars, and security and privacy risk assessment
    • Security Design Practices, including threat modeling, attack surface analysis, and establishing security design requirements
    • Security Implementation Practices, including static analysis and use of specific implementation phase tools
    • Security Verification Practices, including dynamic analysis and fuzz testing, and attack surface review
    • Release and Response Practices, including incident response planning and final security reviews