Microsoft® Security Development Lifecycle

Locations

United States Change All Microsoft Sites

Search


Was this information useful?
 |
yes
 |
no

SDL Process: Implementation

Seven phases of the traditional software development lifecycle define Security Development Lifecycle (SDL) process. Click on a phase to view the security practice details preformed during each phase or download the whitepaper Simplified Implementation of the SDL.

Simplified Implementation of the SDL

View video:

Implementation
of the SDL
previous phase | next phase
SDL Practice #8:

Use Approved Tools

 SDL Practice #9:

Deprecate Unsafe Functions

SDL Practice #10:

Perform Static Analysis

Define and publish a list of approved tools and associated security checks, such as compiler/linker options and warnings. The list should be regularly updated with the latest versions of the tools.

Determine the list of banned functions, use header files, newer compliers, or code scanning tools to check code for the existence of banned functions, and then replace those banned functions with safer alternatives.

Static analysis consists of analyzing the source code prior to compile.
Why should I follow this practice?

Using tools helps automate and enforce security practices easily at a low cost. Using the latest version of approved tools allows inclusion of new security analysis functionality and protections.

Removing banned APIs reduces potential security bugs with very little engineering cost.

Static analysis of source code provides a scalable method of security code review and helps ensure that secure coding policies are being followed.

When should I employ this practice?

Traditional Software development: Implementation Phase
Agile development: Every Sprint

Traditional Software development: Implementation Phase
Agile development: Every Sprint

Traditional Software development: Implementation Phase
Agile development: Every Sprint

Resources specific to this practice
Tools specific to this practice