Microsoft® Security Development Lifecycle

Locations

United States Change All Microsoft Sites

Search


Was this information useful?
 |
yes
 |
no

SDL Process: Training

Seven phases of the traditional software development lifecycle define Security Development Lifecycle (SDL) process. Click on a phase to view the security practice details preformed during each phase or download the whitepaper Simplified Implementation of the SDL.

Simplified Implementation of the SDL

View video:

Implementation
of the SDL
next phase
SDL Practice #1:

Core Security Training

Software security training is a prerequisite for implementing the SDL, and individuals in technical roles (developers, testers, and program managers) who are directly involved with the development of software programs must attend at least one unique security training class each year.

Why should I follow this practice?

Understanding software security problems is a foundational part of building better software. By allowing individuals involved with the development of software programs to stay informed about security basics and latest trends in security and privacy, you’ll increase their commitment to writing more secure software. For more information, read the Essential Software Security Training for the Microsoft SDL whitepaper.

When should I employ this practice?
Basic software security training should cover foundational concepts such as:
  • Secure design, including: attack surface reduction, defense in depth, principle of least privilege, secure defaults
  • Threat modeling, including: overview of threat modeling, design implications of a threat model, coding constraints based on a threat model
  • Secure coding, including: buffer overruns (for applications using C and C++), integer arithmetic errors (for applications using C and C++), cross-site scripting (for managed code and web applications), SQL injection (for managed code and web applications), and weak cryptography
  • Security testing, including: differences between security testing and functional testing, risk assessment, security testing methods

Privacy, including: types of privacy-sensitive data, privacy design best practices, risk assessment, privacy development best practices, and privacy testing best practices

Training resources by SDL phase
Training Phase: Introduction to Microsoft Security Development Lifecycle (SDL)
Requirements Phase: Privacy in Software Development
Design Phase: Basics of Secure Design, Development and Test
Introduction to Microsoft SDL Threat Modeling
SDL Quick Security References – Cross-Site Scripting, Exposure of Sensitive Information, SQL Injection
SDL Developer Starter Kit – Secure Design, Threat Modeling, and Threat Modeling Tool Principles
Implementation Phase: Basics of Secure Design, Development and Test
SDL Quick Security References – Cross-Site Scripting, Exposure of Sensitive Information, SQL Injection
SDL Developer Starter Kit – Secure Implementation Principles, Banned APIs, Code Analysis, Source Annotation Code Language, SQL Injection, Compiler Defenses, Buffer Overflows, and Cross-Site Scripting
Verification Phase: Basics of Secure Design, Development and Test
SDL Quick Security References – Cross-Site Scripting, Exposure of Sensitive Information, SQL Injection
SDL Developer Starter Kit – Secure Verification Principles, Fuzz Testing, Code Review, SQL Injection, Compiler Defenses, Buffer Overflows, and Cross-Site Scripting