Many software development organizations, including many product and online services groups within Microsoft, use Agile software development and management methods to build their applications. Historically, security has not been given the attention it needs when developing software with Agile methods. Since Agile methods focus on rapidly creating features that satisfy customers’ direct needs, and security is a customer need, it’s important that it not be overlooked. In today’s highly interconnected world, where there are strong regulatory and privacy requirements to protect private data, security must be treated as a high priority.
There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality. There is very little “secure Agile” expertise available in the market today. This needs to change. But the only way the perception and reality can change is by actively taking steps to integrate security requirements into Agile development methods.
Microsoft has embarked on a set of software development process improvements called the Security Development Lifecycle (SDL). The SDL has been shown to reduce the number of vulnerabilities in shipping software by more than 50 percent. However, from an Agile viewpoint, the SDL is heavyweight because it was designed primarily to help secure very large products, such as Windows and Microsoft Office, both of which have long development cycles.
If Agile practitioners are to adopt the SDL, two changes must be made. First, SDL additions to Agile processes must be lean. This means that for each feature, the team does just enough SDL work for that feature before working on the next one. Second, the development phases (design, implementation, verification, and release) associated with the classic waterfall-style SDL do not apply to Agile and must be reorganized into a more Agile-friendly format. To this end, the SDL team at Microsoft developed and put into practice a streamlined approach that melds agile methods and security—the Security Development Lifecycle for Agile Development (SDL-Agile).
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.
This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.