Microsoft Security Development Lifecycle (SDL)

From the msdn developer security center website...

The Microsoft Security Development Lifecycle (SDL) is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy into Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. It has led Microsoft to measurable and widely recognized security improvements in flagship products such as Windows Vista and SQL Server . As part of its commitment to supporting a more secure and trustworthy computing ecosystem, Microsoft is making SDL process guidance, tools and training available for every developer.

“Microsoft’s Trustworthy Computing initiative is perhaps the most advanced and comprehensive application security program in the industry.” “Managing Application Security From Beginning To End,” Forrester Research, Inc., August 2007







Today I got a chance to sit down and talk to Kevin Lam from Eclipse Security, LLC about a project that they are working on for me. I've been reading the Microsoft SDL version 3.2 document to better understand it. I got a very cool 30 minute overview of the document from Kevin Lam. Kevin was explaining to me why the Microsoft Secure Development Lifecycle (SDL) matters. The Microsoft SDL is about alot of things that matter. Like Reducing Risk and trying not to forget the important things. The SDL is a structured way of thinking about secure software development, so that you don't forget the important stuff when building your application.

The Army does that same thing with junior leaders by making Infantry officers utilize the 5 paragraph Operations Order. I had to go over this over and over when I was a Second Lieutenant at the US Army Infantry Officer Basic Course at Fort Benning, Georgia in 1992. The 5 paragraph operations order was a structured way for an infantry officer to approach an upcoming operation, and not forget important operational details in the fog of  battle. It didn't matter how tired you were, you always new Situation, Mission, Execution, Service & Support, and Command & Signal. It was key to a successful operation. As the infantry officer progressed and move forward to field grade, It was necessary to understand the Military Decision Making Process (MDMP). The MDMP was key for Battalion and Staff planning to successfully plan and execute an a brigade sized mission in a theater of operations such as Afghanistan or Iraq. The 5 paragraph operations order and MDMP are part of the overall Air Land Battle doctrine that helps the Army to form a fighting system.

The Microsoft SDL is no different from a conceptual point of view. The SDL is a collection of standardized planning and design best practices that help developers to write secure code and avoid more costly mistakes later in the SDL process. Why SDL?

1.) It's about Reducing Risks

2.) It's more expensive in later stages of the SDL if you don't listen or follow the above guidance.

3.) Brand Dilution for your commercial software is more expensive that the developers you have to employ with the planning and design stages

4.) Defusing the media when your application gets hacked or your data gets stolen is expense in terms of reputation, time, and money

5.) The SDL helps you to identify a vulnerability in your application design early on

6.) The SDL helps to hold your development team accountable to writing secure code

7.) Threat Modeling matters. Ask Adam Shostack when you get a chance about Threat Modeling.

Threat Modeling helps you to analyze the attack surface and do a bit of war gaming (from the military MDMP) to see how someone can breach your defenses and get your customer's information. If you ask your customers they won't care about Security or Privacy. They just want to know are they safe online using your software or application? Threat Modeling and the SDL can help you keep that promise. So check out the Microsoft SDL at Special thanks to Ziv Fass and John Boylan for getting the information ready for customers and posted to the msdn developer security center.