Expanding SDL for Cloud and Agile Development


With more and more business customers deciding between client, cloud, or both for their computing environments, security guidance must be dynamic and evolve along with the community.  Because security and privacy are key concerns affecting adoption of cloud computing, the industry has an opportunity to assure customers that web applications running on cloud platforms can operate in a safe and trusted environment.

Microsoft has made a series of moves to take its secure development best practices beyond its borders to the broader developer community. This has included a body of guidance, an SDL Optimization Model, the creation of a network of certified service providers through the SDL Pro Network and a no-cost SDL Threat Modeling tool.  All of these, plus subsequent releases of SDL programs, tools, guidance and technologies have better enabled software developers and industry partners to build security and privacy directly into software applications and provide their users with a more trusted computing experience.

Yesterday at the Tech·Ed Conference in Berlin, Germany, Microsoft announced two new SDL offerings

    Security Considerations for Client and Cloud.   Download a whitepaper from the SDL team that discusses security issues associated with “client and cloud” applications, and the steps Microsoft has taken to evolve SDL to address those security issues in Microsoft services.

    SDL 4.1a, expanded to include Agile Development processes.  Download the latest SDL process guidance that includes SDL for Agile Development, a streamlined approach that melds Agile methods and security. Comprehensive yet flexible, the SDL for Agile guidance includes all SDL requirements, but provides guidance on how to apply them even for very short release cycles.

Let me briefly expand on each of these.

Security Considerations for Client and Cloud

As the computing industry considers Cloud Computing, customer are concerned with how data will be protected.  In a September 2009 online survey of IT Pros, about 51% cited security and data privacy concerns as the biggest impediment to adopting cloud services.

In Security Considerations for Client and Cloud, Microsoft takes a look at security from the point of view of development organizations that may be considering hosting their application with a 3rd-party infrastructure (ie. “cloud”) provider.


If you are to host your well-coded application on a 3rd-party infrastructure, at a high level, you should be asking questions (of potential cloud providers) concerning two general areas of security:

  • Operational Security and Compliance.  If you have regulations governing your industry (e.g. healthcare), what does the provider do to make sure you are in compliance?  What have they done to demonstrate their operational security?
  • Security Features and Service Level.  Additionally, different providers may offer different cloud security features (e.g. supporting certain types of authentication) and different security service levels in their SLA.  Ask for details to ensure that you know exactly what they will provide you (from a security perspective) as your partner in delivering services to your customers.

Of course, fundamentally, application software, whether traditional or for the cloud, still needs a structured security development process such as SDL.  So, make sure you are using a structured security development process like SDL for your application. 

What?  You say you have a 2 week release process and use an Agile development process?  No problem, read on…

SDL for Agile Development

If you are using an Agile development process, you are not alone. Agile development methods are being adopted more and more frequently in enterprises around the world.  According to a recent independent analyst report, 85 percent of technology industry professionals have adopted Agile development methods at some level of maturity.

Note:  if you are not familiar with Agile development and would like to know more, you may want to read a bit more on http://www.agilemanifesto.org.   Wikipedia defines it as:

Agile software development refers to a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams. The term was coined in the year 2001 when the Agile Manifesto was formulated.


Notable early Agile methods include Scrum (1995), Crystal Clear, Extreme Programming (1996), Adaptive Software Development, Feature Driven Development, and Dynamic Systems Development Method (DSDM) (1995). These are now typically referred to as Agile Methodologies, after the Agile Manifesto published in 2001.

If you take a look at Bryan Sullivan’s SDL Blog post concerning SDL for Agile, he gives a great description of how the team approached the task of taking the comprehensive SDL requirements and processes and organizing the guidance into an Agile-friendly structure that can be flexibly applied to long or short agile development projects.  I’ll give a quick summary of his post.

If you look at the Security Development Lifecycle and how it is described by phases, you can see that it was originally developed to integrate with the spiral-based product development process used by Microsoft to develop Windows and other business products.  Though there are many differences between spiral and Agile methodologies, two key differences stand out to me:

  • Agile development methodologies don’t have defined phases, and
  • Agile releases tend to be much shorter, in some cases only a week or two

sdl-agile-transparentTo address these differences, SDL for Agile breaks the SDL into three categories of requirements: every-sprint requirements, the requirements so important that they must be completed every iteration; one-time requirements, the requirements that only have to be completed once per project no matter how long it runs; and bucket requirements, the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint.

SDL for Agile also provides guidance for adapting many of the core SDL activities to Agile. Threat modeling is a perfect example: a team could easily spend an entire week-long sprint performing threat modeling, but this may not be the best use of their time. SDL-Agile describes how a team can spend an appropriate amount of time modeling new features as well as how to build up a baseline of threat models for existing functionality.

To get the full SDL for Agile guidance, download SDL 4.1a, expanded to include Agile Development processes, and read through the new sections on Agile.

Final Thoughts

As the computing industry evolves, Microsoft continues to invest in security and privacy fundamentals and ensures its software development processes, best practices and technologies extend from Client to Cloud environments.  The release of SDL for Agile and the cloud security white paper highlights Microsoft’s continued efforts to meet the changing needs of the development community and ultimately will help create a more trusted online computing experience.

Best regards, Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »