• Software Products
  • Internet Security
    • Typhon III
    • DominoScan II
    • OraScan
    • NGSSniff
  • Database Security
    • NGS Auditor
    • NGSSQuirreL for SQL Server
    • NGSSQuirreL for Oracle
    • NGSSQuirreL for DB2
    • NGSSQuirreL for Sybase ASE
    • NGSSQuirreL for Informix
    • NGSSQLCrack
  • Software Partners
• Testing Consultancy Services
  • Testing & Assessment
    • Penetration Testing
    • Infrastructure Assessment
    • Application Assessment
    • Cryptology Evaluation
    • Blackberry Assessment
    • PCI Assessment
    • Wireless Assessment
  • Design & Response
    • War Dialling
    • Secure Coding
    • Security Design
    • Security Response
  • SDL Consultancy
    • SDL Frequently Asked Questions
• Forensic Investigation
• Security Training
  • Web Application (In)Security
  • Advanced Database Security Assessment
  • Network and Infrastructure Security
• Research

SDL Frequently Asked Questions

What is the Microsoft SDL?

The Microsoft SDL is a security assurance process that is focused on software development. As a company-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.


Why should I use the SDL?

Computer crime poses a significant threat to every organization, large or small. Therefore, it has become more critical that software developers embed security and privacy into their software development process through the SDL. Benefits for development organizations include:

- Reduce risk and improve trust by making software more inherently secure and protecting sensitive information.
- Reduce the total cost of development by finding and eliminating vulnerabilities early in the development process. According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in design stage can cost 30 times less than fixing them post release.


Has the SDL improved the security of Microsoft products?

The SDL has proven to be effective in reducing vulnerability counts of flagship Microsoft products after release. Windows Vista and SQL Server 2005 are examples of flagship products whose security has been significantly improved:

- 45% reduction of disclosed vulnerabilities for Windows Vista (66) vs. XP (119) in the first year after release
- 91% reduction of disclosed vulnerabilities for SQL Server 2005 (3) vs. 2000 (34) in the three years after release


Why did Microsoft decide to make the SDL available to the public?

Microsoft is committed to protecting customers and enabling a more trusted computing experience – one of the ways to reach this goal is by sharing security and privacy expertise, guidance, technology and processes.


Can the Microsoft SDL apply to small organizations?

Yes, the SDL is comprised of proven security practices that work in development organizations regardless of their size or platform.


Do I have to follow the Microsoft SDL Process Guidance exactly in order to be SDL compliant?

Organizations can be compliant with the SDL if they follow the Simplified Implementation of the Microsoft SDL. This paper helps organizations understand the core concepts of the Microsoft SDL and the individual security activities that should be performed. The SDL Process guidance shares the way Microsoft applies the SDL to its own products. Organizations wishing to know more details about how Microsoft has applied the SDL are encouraged to download the process guidance as a supplement to the Simplified SDL.


Can I get access to the previous releases of the Microsoft SDL?

Yes, all versions of the SDL remain available for download. Click on the link below to access each version:

- Version 3.2 of the Security Development Lifecycle process guidance (April 2008)
- Version 4.1 of the Security Development Lifecycle process guidance (May 2009)
- Version 4.1a of the Security Development Lifecycle process guidance (November 2009)


Why does Microsoft update the SDL frequently?

The SDL process guidance is frequently updated to reflect current industry best practices and address emerging threats.


What are the main differences between SDL version 3.2 and SDL version 4.1?

The SDL version 4.1:

- Includes online services and line of business application development guidance
- Is more closely aligned to the traditional development phases: Requirements, Design, Implementation, Verification, Release, plus a Training phase (pre-requisite) and a Response phase (requirement).
- Includes updates to the standard requirements and recommendations.


What is the main difference between SDL version 4.1 and SDL version 4.1a?

With emerging development models, Microsoft has continued to evolve its development security practices. The SDL version 4.1a now includes SDL for Agile, a streamlined approach on how to build more secure applications for Agile Development. Agile is a dominant methodology for managing Web and cloud-based projects.


Why did Microsoft create the SDL Pro Network?

With attacks mainly focused on the application layer, it has become more critical that organizations protect their customers by embedding security and privacy into their software. Microsoft created the SDL Pro Network to help development organizations adopt the SDL and embed security and privacy into their software and development culture. The SDL Pro Network is a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL.


Which services do the SDL Pro Network members offer?

Closely following the SDL, the services are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific offerings fall into the following capability areas:

- Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
- Requirements and Design, including risk analysis, functional requirements and threat modeling
- Implementation, including use of banned APIs, code analysis and code review
- Verification, including fuzzing and Web application scanning
- Release and Response, including final security review (FSR), penetration testing, and response planning and execution


What is the SDL Optimization Model?

The SDL Optimization Model is a maturity model that provides development organizations with a way to self-assess their current software development security practices and create a strategy for gradual improvement. It allows development managers and IT policy-makers to assess the state of the security during development and create a vision and roadmap for reducing software risk.


What are the benefits of the SDL Optimization Model?

There are two primary benefits of the SDL Optimization Model:

- It enables development organizations to assess their current state of security during development.
- It helps create a long-term gradual plan to build and achieve measurable security assurance in software.


What is the difference between the Microsoft SDL Optimization Model and other software development maturity models?

- The SDL Optimization Model gives you a logical order of practical activities to gradually roll out your program.
- It allows you to benchmark and validate your progress against a set of activities.


What is the SDL Process Template for VSTS?

The SDL Process Template for VSTS is a downloadable template that integrates the policy, process and tools associated with the SDL (version 4.1) directly into the Visual Studio Team System development framework.


Are there any requirements to use the SDL Process Template for VSTS?

Visual Studio Team System 2008 is required to use the SDL Process Template.


Why should I use the SDL Process Template for VSTS?

The SDL Process Template helps development teams write more secure code by:

- Integrating the SDL into the familiar Visual Studio development environment.
- Generating a detailed Final Security Review report that allows management to document and verify that SDL requirements were met prior to a product's release.

The SDL Process Template also helps demonstrate security return on investment by allowing for the integration of third-party tools that work with Team Foundation Server (TFS). Through reporting and security bug management, the template provides data that allows development organizations to assess the effectiveness of their security tools.


Does the SDL Process Template for VSTS automate security?

The SDL Process Template automates the application of the SDL to a specific development project. The template automatically integrates the basic components of the SDL process: the SDL requirements, recommendations, guidance, process and tools into an easy-to-use, familiar development framework.


What software development methodologies does the template address/not address?

This template was developed to work with Waterfall/Spiral development methodologies. The template is intended to equip development teams with the basic components of the SDL in a way that is customizable for nearly any development methodology. Depending on the methodology, varying degrees of customization will be necessary.


Is there a template for Agile development environments?

Yes. Microsoft has released the MSF-Agile+SDL Process Template which integrates the policy, process and tools of the SDL for Agile guidance into the familiar MSF-Agile template that ships with Visual Studio Team System (VSTS). The MSF-Agile+SDL template is similar to the SDL Process Template, but is more suitable for projects following an Agile development methodology. The MSF-Agile+SDL Process Template can be used either with Visual Studio Team System (or Team Foundation Server) 2008 or 2010.


What is threat modeling?

Threat modeling is a repeatable process that helps you identify and mitigate threats to your product.


Why should I threat model?

Threat modeling enables development teams to better understand the threat that a component will have to face after release. A threat model can help a team figure out how to organize their security efforts such as determining the scope and focus of penetration testing and fuzzing efforts.


What is the difference between the SDL Threat Modeling Tool and the ACE Threat Modeling Tool?

The SDL Threat Modeling Tool is the official threat modeling tool for software developed at Microsoft.

Copyright © NCC Group 2006 - 2009 | All Rights Reserved Home | Sitemap | Terms and Conditions