• SDL for Agile

  • Agile Development Using Microsoft Security Development Lifecycle
  • Microsoft has developed the SDL for Agile process to integrate critical security practices into the Agile methodology. The SDL for Agile Development guidance reorganizes security practices into three categories: Every-Sprint practices, Bucket practices, and One-Time practices
  • Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modelling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

SDL Practice #3: Create Quality Gates/Bug Bars
Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project.
Setting a meaningful bug bar involves clearly defining the severity thresholds of security vulnerabilities (for example, no known vulnerabilities in the application with a “critical” or “important” rating at time of release) and never relaxing it once it's been set.
When should this practice be implemented?

  • Traditional Software development: Requirements Phase
  • Agile development: One Time