The Microsoft Security Development Lifecycle Extends Beyond Applications to Critical Infrastructure

This morning, I am sitting at the inaugural Security Development Conference 2012 in Washington DC listening to people from a diverse set of companies, government agencies and academic institutions sharing their own experiences with adopting a Security Development Lifecycle (SDL) process or learning how to accelerate adoption within their own organizations. As I watched the keynotes and sessions yesterday and see Scott Charney step onto the stage today, I am reminded of the early days at Microsoft when our customers were faced with security threats that challenged their trust in our products and services.  Creating the SDL was an important step in combating these threats and to this day the SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft’s products.

To see more and more private and public organizations recognize the value and importance of implementing secure development practices makes me cautiously optimistic that in the future software will be more secure than the software we’ve seen in the past. I remember when in 1997 I attended the RSA Security Conference held in the basement of the Mark Hopkins Hotel in San Francisco with a few hundred attendees.  Today, the annual RSA Conference is a major industry event with more than 10,000 attendees. I’m not certain that the Security Development Conference will follow that sort of trajectory, but I do believe that secure development is of growing importance, and I also know that industry commitment can start small and grow.

As part of the conference we are announcing two new success stories in the critical infrastructure space that document adoption of the SDL beyond traditional application providers. The Government of India and Itron have both integrated the SDL into their processes and today we are sharing their stories through two newly-published case studies:

  • Government of India – The Government of India has recognized the importance of a holistic integration of security and is promoting that key concept by including secure coding practices in their draft national economic five-year plan. They believe this is a significant step that will help improve the security of all software and services produced in their programs.  India’s Computer Emergency Response Team (CERT-In) which leads the country’s response to cyber threats has already taken steps to implement the five-year plan by leveraging Microsoft’s SDL as one of the core tenets for application security.  In addition, the National Informatics Centre, part of the Central Government Office of India, requires training in SDL principles including the training of more than 10,000 of India’s cyber forensic investigators. The government of India is also encouraging domestic businesses to adopt similar processes, showcasing the significant role public-private partnerships play in making critical systems more secure.  You can read more about the steps the Government of India is taking to secure its environment in the case study available for download here.
  • Itron, Inc. – Itron, a leading provider of energy and water resource management solutions for nearly 8,000 utilities around the world, has recently incorporated the SDL into their development process.  With the increase in threats to critical infrastructures, Itron realized it needed to take proactive steps to protect its systems by building security in from the start. The company recently implemented Microsoft’s SDL, making it mandatory for the development of all of its software and hardware.  Itron now has one of the most mature secure development programs in the Smart Grid space. You can read more about the steps Itron is taking to secure its systems through a case study we have published for download here.

These examples represent positive momentum in the public sector and critical infrastructures and demonstrate some of the great advancements the security community is making toward creating safer and more trusted computing experiences for everyone.  We hope the Security Development Conference 2012 will lead to more great stories like these in the coming year.

Together as an industry, we have a responsibility to deliver safer and more secure technologies that are trustworthy.  If your organization is considering the adoption of an SDL process, visit the Microsoft SDL website where you can download free resources and  tools.  We have also established a network of consultants that can help you with your implementation.  For more information on Microsoft’s SDL, please check out our website at


About the Author
Steve Lipner

Partner Director of Software Security, Trustworthy Computing

Steven B. Lipner is Partner Director of Software Security in Trustworthy Computing Security at Microsoft. He is responsible for programs that provide improved product security for Microsoft customers. Lipner leads Microsoft’s Security Development Lifecycle (SDL) team and is responsible for Read more »