• SDL for Agile

  • Agile Development Using Microsoft Security Development Lifecycle
  • Microsoft has developed the SDL for Agile process to integrate critical security practices into the Agile methodology. The SDL for Agile Development guidance reorganizes security practices into three categories: Every-Sprint practices, Bucket practices, and One-Time practices
  • Every-Sprint practices: Essential security practices that should be performed in every release.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

SDL Practice #1: Core Security Training
This practice is a prerequisite for implementing the SDL. Foundational concepts for building better software include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy.
When should this practice be implemented?

Software development team members in technical roles (developers, testers, and program managers) must attend at least one unique security training class each year. For training that is relevant to each development phase, see Recommended Training below.