Security Development Lifecycle (SDL) document is now live

This document outlines the security-related process improvements we have put in place at Microsoft.We've been working on defining this for about two years now, and I'm really excited that we've now made it public 🙂


Comments (11)
  1. In the past decade it has been easy to slag Microsoft for their stance on security. It has appeared that the drive for profits have always trumped the safety and security of the code. When Microsoft decided to STOP development and retrain the ENTIRE development group about secure programming, many in the industry brushed it off as a PR stunt. But as I pointed out early last year, if we look at what Microsoft has been doing as of late, we can see that they have made significant changes to build a foundation for a more secure computing experience: They have created better error-reporting software. They have found that the top 20% of their errors make up 80% of the problems. Knowing this and capitalizing allows Microsoft to significantly prioritize and reduce bugs that matter the most.They have created better developer tools to help write more secure software, with release of tools like prefix, prefast, AppVerifier and FxCop. Their only problem right now with this is that they ARENÂ’T letting developers know about them!They halted product development for a period of time and retrained their developers to code more securelyThey audited as much product source code as humanly possible and now have a dedicated lead security person for each component of the Windows source code to watch over code quality as it relates to security. Previously they had a clean up crew come in after the fact and try to sanitize the master sources.Microsoft has begun to provide more secure defaults when shipping new product. As a clear example we have seen the launch of Windows Server 2003 with a lessened attack surface than previous versions of their server product.Microsoft now provides better tools such as the Microsoft Baseline Security Analyzer to analyze and audit patch management as it relates to security bugs in a proactive manner.After major security incidents (like MSBlaster and MyDoom) Microsoft has released tools to help respond and fix possible vulnerable and compromised machines. Although these are not timely enough (IMHO), itÂ’s still good to see.Microsoft has provided a more definitive patch management cycle to address “patch hell” until their newer products get released that have a significantly lessened attack surface, and have better code quality.Microsoft provides better integrated firewalling with their Internet Connection Firewall (ICF), released with the latest service pack for XP. Ok this item isnÂ’t about secure coding… but more about "secure by default" mentality.Microsoft is being more open about the entire security process. And not just for PR purposes. More articles, documentation and transparent communication are now available through MSDN, Microsoft employee blogs, and MicrosoftÂ’s Security webcasts. The last bullet is what I want to talk about today. Michael Howard reports that you can now read about the security-related process improvements they have put in place at Microsoft. They have been working on defining this for about two years now, and as of today now have made this document public. It is an excellent document providing real insight on what is going on with Microsoft’s own security development lifecycle. Well worth the investment in time to read and learn from. (Anyone who is arrogant enough to believe they know everything and cannot learn something from Microsoft’s experience here really shouldn’t be in this industry) So check out Microsoft’s Security Development Lifecycle. Happy reading!…

  2. Jason Haley says:

    More interesting finds this weekend

  3. buddyprav says:


    provide SDLC documentation and CMM documentation.



  4. Microsoft’s Security Development Lifecycle Process

  5. rcme says:

    Lots of great info here Michael. I read Steve’s original paper, so I look forward to reading this one for the updates.


    Is this available as a "document" (i.e. .doc or .pdf)? Sometimes it is easier to read on paper, and printing from a HTML doesn’t always format properly. There seems to be some inconsistency on the Microsoft website regarding documents. For example, this SDL document is only available as HTML, while other docs, like the Security Risk Managament Guide is available as .pdf, and yet others are available as .doc.

    Keep up the good work!!

  6. Michael Howard says:

    Yeah, we’ll make a download avail – not sure if it’s DOC or PDF. But watch this space 🙂

  7. Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you…

Comments are closed.

Skip to main content