Even more on Microsoft’s SDL

In 2006, Microsoft Press published The Security Development Lifecycle, by Michael Howard and Steve Lipner. (Microsoft’s Security Development Lifecycle blog is here.)


Beginning in October 2008, Scott Swigart and Sean Campbell of Cascade Insights have been publishing a series of articles (each between 3 and 7 pages) to further examine Microsoft’s SDL. This “SDL Series” can be found here. Five of the eight articles have now been published:

SDL Series – Article #1:
Investigating the Security Development Lifecycle at Microsoft

SDL Series – Article #2:
Security Education at Microsoft

SDL Series – Article #3:
The Microsoft Security Org Chart

SDL Series – Article #4:
Threat Modeling at Microsoft

SDL Series – Article #5:
Microsoft Security Toolbox

SDL Series – Article #6:
Microsoft’s Security Response

SDL Series – Article #7:
Evolution of the Microsoft SDL

SDL Series – Article #8:
Microsoft SDL Investigation: The Wrap Up

Swigart & Campbell’s first article begins like this, acknowledging the importance of Howard & Lipner’s book:

In 2006, Michael Howard and Steve Lipner published “The Security Development Lifecycle,” opening the door to Microsoft’s internal methodology for producing more secure software. In this column series, we will walk through the phases of the Microsoft Security Development Lifecycle (SDL) and examine how the SDL is currently put into practice on a daily basis in the development of Microsoft’s products. The goal of our effort, through interviews and research, will be to further pull back the covers on Microsoft’s practices for creating software upon which millions of users (and billions of dollars) depend.

They continue like this:

Proven Effective Methodology

In “The Security Development Lifecycle,” Howard and Lipner made a series of bold statements. On the first page of the introduction, the authors state, “We can categorically state that the SDL does lead to more secure software.” They go on to claim that, at the time of writing, Microsoft customers “have benefited from a vulnerability reduction of more than 50% because of the SDL.”

Finally, the authors throw down the gauntlet and say, “If you are not implementing a process similar to the SDL, the processes you have now do not create more secure products.”

Do methodologies matter? In our investigation for the How Software Is Built blog, we have delved into the development methodology differences between primarily closed source companies like Microsoft, and numerous open-source projects, like Linux distributions. We can state without reservation that projects which form the core of Linux distros do not use a process similar to the SDL, and differences in development methodologies is something we’ll examine as we perform our investigation.

Our Methodology

In doing this investigation, we will use the book, “The Security Development Lifecycle,” as our guide, and focus in on the following aspects:
 Education and Awareness
 Security Team Organization
 Threat Modeling
 Automated Tools
 Security Response
 The Evolution of the SDL

You can see that the outline for the series of articles has grown, which isn’t surprising, given the importance of the subject. Take a look also at Scott and Sean’s blog, How Software is Built, where you can find loads of interviews, including an interview with Michael about, yep!, the SDL. Does Mr. Howard talk about anything else? I’ve asked him to send us something not related to security for the blog. We’ll see what we get—stay tuned!

Share this post :

Comments (4)

  1. In “Even more on Microsoft’s SDL” I asked whether Michael Howard talked about anything else. The answer

  2. We’ve been posting recently about Microsoft’s Security Development Lifecycle (SDL). Michael has just

  3. A new article in the "SDL Series."