Microsoft Security Development Lifecycle (SDL) – Process Guidance
Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. Microsoft is publishing its detailed SDL process guidance to provide transparency on the secure software development process used to develop its products.
The following documentation provides an in-depth description of the Microsoft SDL methodology and requirements used at Microsoft. Proprietary technologies and resources that are only available internally at Microsoft have been omitted from these guidelines.
Organizations that wish to implement the SDL should read the Simplified Implementation of the Microsoft SDL whitepaper. This whitepaper illustrates the core concepts of the Microsoft SDL and discusses the individual security activities that should be performed in order to follow the SDL process. Visit www.microsoft.com/sdl for resources and tools.
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.
This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.