This is the Trace Id: 8bed555572ab6aae805ea10ead6c528b
developer looking at computer

Microsoft Security Development Lifecycle (SDL)

With today’s complex threat landscape, it’s more important than ever to build security into your applications and services from the ground up. Discover how we build more secure software and address security compliance requirements.

Learn about the practices of the SDL, and how to implement them in your organization.


The Security Development Lifecycle (SDL) is the approach Microsoft uses to integrate security into DevOps processes (sometimes called a DevSecOps approach). You can use this SDL guidance and documentation to adapt this approach and practices to your organization.  

The practices described in the SDL approach can be applied to all types of software development and all platforms from classic waterfall through to modern DevOps approaches. This generally applicable software security approach works across different:

  • Software – whether you are developing software code for firmware, AI applications, operating systems, drivers, IoT Devices, mobile device apps, web services, plug-ins or applets, hardware microcode, low-code/no-code apps, or other software formats. Note that most practices in the SDL are applicable to secure computer hardware development as well.  
  • Platforms – whether the software is running on a ‘serverless’ platform approach, on an on-premises server, a mobile device, a cloud-hosted VM, a user endpoint, as part of a Software as a Service (SaaS) application, a cloud edge device, an IoT device, or anywhere else. 

The SDL focuses on 10 security practices to integrate into your development processes. 


Additional resources for the Microsoft SDL.

Frequently Asked Questions

SDL frequently asked questions.