Free ebook: The Security Development Lifecycle

Hello, Michael Howard here, from the Microsoft Cybersecurity team. It’s hard to imagine that Steve Lipner and I wrote The Security Development Lifecycle: A Process for Developing Demonstrably More Secure Software (Microsoft Press, 2006) a decade ago. Even though much has changed in the intervening years, it’s amazing how the simple fundamentals still hold true.

In the book we talk of “banned functionality,” or functionality that is dangerous and should never be used, and we still talk about the topic today, even though some of the specifics are a little different. Threat modeling, which has a dedicated chapter in the book and which is a cornerstone of the Microsoft Security Development Lifecycle (SDL), is a critical component of any application architecture today.

Sure, the book doesn’t mention “IoT” or “cloud” and the word “mobile” rarely gets mentioned, but banned functionality, threat modeling, and numerous other core SDL tenets—such as a static analysis, bug bars, fuzz testing, and correct cryptographic design—apply to IoT, cloud, and mobile as much as they do to three-tier applications and websites. For example, Microsoft recently released a paper on IoT security architecture, and the first section’s title is “Security starts with a threat model.”

Microsoft’s practice of the SDL has evolved and matured over the last decade, and there’s lots of current guidance and tools available for download at the SDL website. But as I re-read our SDL book recently, I was struck by how much of it is as applicable today as it was yesterday, and it’s because of this that we’re delighted to release the book as a free download from Microsoft Press. Click here to initiate download of the PDF (20.5 MB). Click here to initiate download of the EPUB (3.3 MB)(Please note that the companion materials that were originally released on a CD with the book won’t be made available.)

We hope that more people will read The Security Development Lifecycle and make small changes to their current design, development, and testing practices so as to improve their products’ security.

Michael Howard
Austin, Texas
April 2016

Comments (12)
  1. Sedthakit Prasanphanich says:

    Thanks for the release! However, I still insist that you should release the material in the CD also.

  2. Gorav says:

    This is awesome.

  3. Steve Lipner says:

    Steve Lipner here. Many thanks to Microsoft Press for making this release happen. Even though the SDL book is ten years old, a lot of folks still find it a valuable reference. I’m delighted that it’ll be broadly available to help development teams improve the security of their software.

  4. Syed says:

    Could you please send me a copy of book.


  5. Howard Israel says:


  6. Eric Lawrence says:

    Any chance you can change those download links over to HTTPS instead?

    1. Hi Eric – the links have been updated to https.

  7. Thank you for the great resource.

  8. Andriy says:

    Big thanks for the release.
    Unfortunately epub version is not compatible with Google Play Books. shows few errors and warnings.

  9. Winnie Peter says:

    Its awesome. Thank you.

Comments are closed.

Skip to main content