Frequently Asked Questions

The Microsoft SDL is a software development security assurance process created by and used at Microsoft. Combining a holistic and practical approach, the SDL introduces security and privacy throughout all phases of the development process.

• To understand how Microsoft has improved the security of our products and demonstrate our commitment to Trustworthy Computing, we have released the Microsoft SDL as used at Microsoft in the Microsoft SDL Process guidance.
• To assist development organizations wishing to adopt the best practices demonstrated by the Microsoft SDL, we have released the Simplified Implementation of the Microsoft SDL whitepaper which provides actionable guidance on the sixteen security practices used to support secure development.

As a company-wide initiative and a mandatory policy at Microsoft since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft’s software and culture. The SDL has proven to be effective at reducing vulnerability counts of flagship Microsoft products after release. Windows Vista and SQL Server 2005 are examples of flagship products whose security has been significantly improved:

• 45% reduction of disclosed vulnerabilities for Windows Vista (66) vs. XP (119) in the first year after release.
• 91% reduction of disclosed vulnerabilities for SQL Server 2005 (3) vs. 2000 (34) in the three years after release.

Learn more about these product comparisons.

Microsoft is committed to protecting customers and enabling a more trusted computing experience. One of the ways to reach this goal is by sharing security and privacy expertise, guidance, technology, and processes.

Some of our publicly available SDL process documentation is available to the development community under the Attribution, Non-Commercial, Share Alike (cc by-nc-sa) terms of the Creative Commons license – which allows organizations to copy, distribute and transmit the documentation to others. This allows organizations to incorporate content from the SDL documents released under Creative Commons into their internal process documentation.

Computer crime poses a significant threat to every organization, large or small. By adopting the SDL, development organizations will:

• Reduce risk and improve trust by making software inherently more secure and protecting sensitive information. Read the MidAmerican SDL Chronicles for an insight on how the SDL improved the software security of MidAmerican Energy by reducing the number of high-level threats from 14,000 to less than 100 within 273 days.
• Reduce the total cost of development and generate a positive ROI by finding and eliminating vulnerabilities early in the development process:
  • Analyst reports (Forrester Consulting's State of Application Security and Aberdeen Group's Security and the Software Development Lifecycle: Secure at the Source) have demonstrated that adopting prescriptive and holistic secure software development processes like the Microsoft SDL generates a positive Return on Investment. More specifically, Aberdeen Group's independent report estimated that organizations implementing structured programs for security development realized a very strong 4.0-times return on their annual investments in applications security.
  • According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design phase of the software development process can cost thirty (30) times less than fixing them post release.
• Improve the efficiency of compliance activities. By aligning governance, risk, or compliance activities with SDL security practices, organizations may improve the efficiency of their compliance activities and further improve the ROI of their application security investments. For more information read the SDL and HIPAA Security Rule whitepaper as well as the SDL and PCI DSS/PA-DSS Compliance Activity whitepaper.

Yes. The SDL is comprised of proven security practices that work in development organizations regardless of their size or platform.

The core concepts and individual security activities of the Microsoft SDL that should be performed by development organizations are described in the Simplified Implementation of the Microsoft SDL white paper:

1. Core Security Training
2. Establish Security Requirements
3. Create Quality Gates / Bug Bars
4. Perform Security and Privacy Assessment
5. Establish Design Requirements
6. Analyze Attack Surface
7. Perform Threat Modeling
8. Use Approved Tools
9. Deprecate Unsafe Functions
10. Perform Static Analysis
11. Perform Fuzz Testing
12. Review Attack Surface
13. Create Incident Response Plan
14. Perform Final Security Review
15. Archive release project data
16. Execute Incident Response Plan

Microsoft makes SDL training resources, Templates for SDL Practices and SDL Tools available to help perform the security activities of the Microsoft SDL process. If you have any questions related to the SDL Process or SDL Tools, visit the SDL Forum.

Microsoft Services and the SDL Pro Network offer training, consulting, and tools services designed to help organizations adopt the SDL process and make security and privacy an integral part of their software development.

Specific offerings include the following areas:

• Training, policy and organizational capabilities, including security and privacy training and advice on how to implement the practices and tools recommended by the SDL.
• Requirements and design, including risk analysis, functional requirements, and threat modeling.
• Implementation, including use of banned APIs, static code analysis, and code review.
• Verification, including dynamic security testing and web application review.
• Release and response, including attack surface and threat model reviews, final security review, and response planning and execution.
• Security tools, such as static analysis tools for the Implementation Phase and dynamic and binary analysis tools for the Verification Phase.

The SDL Process Guidance illustrates the way Microsoft applies the SDL process to its own products. All versions of the SDL Process Guidance are available for download.

• Version 3.2 of the Security Development Lifecycle Process Guidance (April 2008)
• Version 4.1 of the Security Development Lifecycle Process Guidance (May 2009)
• Version 4.1a of the Security Development Lifecycle Process Guidance (November 2009)
• Version 5.0 of the Security Development Lifecycle Process Guidance (March 2010)
• Version 5.1 of the Security Development Lifecycle Process Guidance (April 2011)
• Version 5.2 of the Security Development Lifecycle Process Guidance (May 2012)

No. The Microsoft SDL Process Guidance illustrates the way Microsoft applies the SDL to its own technologies and software. You should download and leverage the Simplified Implementation of the Microsoft SDL whitepaper which provides clear guidance on the sixteen security practices to support secure development. Each organization being unique, it is important that you determine your own security requirements and which tools are appropriate for your organization.

The Microsoft SDL Process Guidance is frequently updated to reflect current industry best practices and address emerging threats. We encourage you to read the SDL Progress Report that illustrates the progress Microsoft has made from 2004 to 2010 in using the SDL and security science to reduce vulnerabilities and mitigate threats to Microsoft software and services.

The Microsoft SDL Process Guidance version 4.1:

• Includes online services and line of business application development guidance.
• Is more closely aligned to the traditional development phases: Requirements, Design, Implementation, Verification, Release, plus a Training phase (pre-requisite) and a Response phase (requirement).
• Includes updates to the standard requirements and recommendations.

With emerging development models, Microsoft has continued to evolve its development security practices. The SDL Process Guidance version 4.1a includes SDL for Agile, a streamlined approach on how to build more secure applications for Agile Development. Agile is a dominant methodology for managing Web and cloud-based projects.

The Microsoft SDL Process Guidance version 5.0 includes new security requirements and recommendations being used at Microsoft – including guidance for Waterfall and Spiral development, Agile development, web applications and Line of Business applications.

The Microsoft SDL Process Guidance version 5.1 includes new security requirements and recommendations being used at Microsoft during the Design, Implementation, and Verification phases, as well as new security requirements for Line-of-Business Applications development.

The Microsoft SDL Process Guidance version 5.2 adds clarifications to the Security Bug Bar and includes updated guidance on new exploit mitigations and other attack surface reduction practices.