• Microsoft Security Development Lifecycle Process

  • Seven phases of the traditional software development lifecycle define Security Development Lifecycle (SDL) process. Click on a phase to view the security practice details preformed during each phase or download the whitepaper Simplified Implementation of the SDL.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

Previous previous phase
next phase Next
  • What Is the Microsoft Security Development Lifecycle (SDL)?

  • The SDL is a software development security assurance process consisting of security practices grouped by seven phases of the traditional software development life cycle. Experiences at Microsoft has shown security practices executed in chronological order helped result in greater security gains and cost benefits than from ad hoc implementation. The SDL process is not specific to Microsoft or the Windows platform and can be applied to different operating systems, platforms, development methodologies, and to projects of any size.
  • What Types of Software Benefit from the SDL?

If your organization builds software with one or more of the following characteristics, you should consider adopting the SDL:
  • The software will be deployed in a business or enterprise environment
  • The software must meet regulatory requirements for how data is transmitted, stored, and displayed
  • The software communicates regularly over the Internet or other networks