We have received a quite a number of requests from various organizations and individuals that wish to use our Security Development Lifecycle (SDL) content to build out their own secure development processes. We have put a lot of thought into these requests and how best to service them.
Up to this point, Microsoft has released SDL information using a license that did not allow for reproduction, inclusion or transfer of any part of our documentation or process without express written consent from Microsoft.
I am happy to announce that from this point forward, Microsoft will be making our publicly available SDL documentation and other SDL process content available to the development community under a Creative Commons license. Specifically, we will be using the license that specifies Attribution, Non-Commercial, Share Alike (cc by-nc-sa) terms.
By changing the license terms, we are now allowing people and organizations to copy, distribute and transmit the documentation to others; this means that you can now incorporate content from the SDL documents we release under Creative Commons into your internal process documentation – subject to the terms specified by the Creative Commons license mentioned above.
You can learn more about the specifics of that license here: http://creativecommons.org/licenses/by-nc-sa/3.0/
Note that we do not intend to change the licensing for any of the SDL tools released by Microsoft – those will continue to use existing Microsoft licenses.
Our first two documents for release under a Creative Commons license will be the English versions of the “Simplified Implementation of the Microsoft SDL” whitepaper and the Microsoft Security Development Lifecycle (SDL) – Version 5.0 paper that illustrates how Microsoft applies the SDL to our own products and services. Those releases will be completed over the next few weeks.
There is a lot of information on our portal about the SDL; case studies, whitepapers, training materials etc. It is our intention to analyze this content and apply Creative Commons licenses to these works as well – assuming it makes sense and isn’t already covered by new works under a CC license. It will take time for us to analyze and repost the documents with the new license – so we ask for your patience.
It’s our hope that by making the SDL documentation more accessible and portable, that more people will start doing secure development and realizing the benefits of incorporating security and privacy throughout the development lifecycle.