As a company-wide initiative and a mandatory policy at Microsoft since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft’s culture and software. The SDL has proven to be effective at reducing vulnerability counts of flagship Microsoft products after release.
Yes. The SDL is composed of proven security practices that work in development organizations regardless of their size or platform.
The core concepts and individual security activities of the Microsoft SDL that should be performed by development organizations are described in the Simplified Implementation of the Microsoft SDL white paper:
- Provide Training
- Define Security Requirements
- Define Security Quality Bars and KPIs
- Use Threat Modeling
- Establish Design Requirements
- Encrypt Data Everywhere
- Use Secure Third-Party Components
- Use Approved Tools
- Perform Static Analysis Security Testing (SAST)
- Perform Dynamic Analysis Security Testing (DAST)
- Perform Penetration Testing
- Establish a Standard Incident Response Process for Your Organization
Microsoft makes SDL training resources, templates for SDL practices, and SDL tools available on the Microsoft SDL Resources page to help perform the security activities of the Microsoft SDL process. If you have any questions related to the SDL process or SDL tools, visit the SDL forum.
Microsoft Services offers training, consulting, and tools and services designed to help organizations adopt the SDL process and make security and privacy an integral part of their software development.
No. The Microsoft SDL Process Guidance illustrates the way Microsoft applies the SDL to its own technologies and software. You should download and use the Simplified Implementation of the Microsoft SDL white paper which provides clear guidance on the twelve security practices to support secure development. Each organization being unique, it is important that you determine your own security requirements and which tools are appropriate for your organization.