The Secret of the SDL

“We all knew what the problems were, but the real issue was, things were getting worse and worse. How were we going to get ahead of this?  That’s what we really had to go fix.” – Steve Lipner, Partner Director of Program Management at Microsoft.

When researchers at a small firm called eEye Digital Security noticed a nasty self-replicating code known today as “Code Red,” little did they know that this worm named after a flavor of Mountain Dew, would also kick off the tech industry’s best security model.  Its stories like this one, captured in the new in depth magazine “Life in the Digital Crosshairs; the dawn of the Microsoft Security Development Lifecycle,” that chronicles how the Microsoft Security Development Lifecycle (SDL) has been helping public and private organizations for the past 10 years, change their engineering cultures and develop more secure software.

“Our Secure Product Lifecycle is analogous to Microsoft’s Security Development Lifecycle,” says Brad Arkin, chief security officer at Adobe.  “We value this process and the information it helps protect.”

Since its inception in 2004 when it was established as a mandatory policy, and the external release of SDL tools and framework in 2008, Microsoft’s SDL resources have been downloaded more than 1 million times, and reached more than 150 countries.  It has been adopted (sometimes in a modified form) by a variety of software and hardware vendors, government agencies, and software development organizations.  From the Government of India, to tech industry leaders, like Cisco and Adobe, the Microsoft SDL has influenced security development methods around the world.

The SDL is Microsoft’s internal software development process that helps developers build more secure software, and address security compliance requirements while reducing development cost. The SDL consists of seven phases – training, requirements, design, implementation, verification, release and response.

So, what’s the secret to the SDL success, or should we say, the secret to its influence? The SDL builds a foundation of trust by doing two very important things:

  • Offering a clear and simple outline for implementing a security development framework
  • Helping organizations address compliance requirements while also improving the security of their development efforts

The SDL is continuously evolving and improving.  It is updated to take advantage of newly developed defensive techniques and in anticipation of emerging threats.  It is a mandatory practice for product development at Microsoft.

Read more about the exciting SDL journey by downloading Life in the Digital Crosshairs.  To learn more about how others that have implemented secure development within their own organizations, check out Microsoft’s has free resources on Tim Rains Director Trustworthy Computing

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »