A note on the recent SDL 4.1 process release…

Wanted to drop a quick note to talk about the SDL 4.1 process guidance that we released on May 19th…

While most of the attention and chatter from the development community has been focused on the announcement of the SDL Process Template for Visual Studio Team System and the addition of SAIC and SANS to the SDL Pro Network, the SDL 4.1 documentation release has a few important points to touch on.

First, it demonstrates our ongoing commitment to process transparency – we released the SDL 3.2 process documentation for the first time at RSA 2008 along with a promise to update it on a regular basis.  So here we are, just over a year later, with the latest changes.  Many people in the IT and developer communities are curious about the individual requirements and recommendations that make up the SDL.  Additionally, there has been a lot of interest on how a process like the SDL is applied at an organization the size of Microsoft – we think the new documentation does a good job at answering both these queries.

Second, there is a myth that I often hear repeated that the SDL “only works for Microsoft” or “is only suitable for development on Microsoft platforms.”  Honestly, that’s a bit of a shocker for me.  Security training, threat modeling, static code analysis, fuzz testing and other security actions performed as part of the SDL are *not* proprietary to Microsoft or the SDL.  While the 4.1 documentation *is* focused on how the SDL is applied at MS, it doesn’t require a Nobel Laureate to see that many of the things that make up the SDL are simply good security practices.  So, I’d encourage people to take a look at the requirements and recommendations that are listed in the document and form your own conclusions. Fight the FUD.

Finally, we’ve illustrated the changes that one would expect of a living process – the expected fine tuning of our SDL requirements and recommendations to reflect changes in the security space.  In addition, we have included information on how the SDL is applied to online services (i.e. Microsoft publicly available websites) and how we use the SDL to build line-of-business (LOB) applications for internal use at Microsoft.  The changes specific to online services and LOB are called out in the text for easier review.

So that’s it – a quick snapshot of the 4.1 process.  As before, it’s available both as web guidance on the MSDN Security Developer Center and as a Word document from the MSDN Download Center.

As always, comments are welcome!

About the Author
Dave Ladd

Principal Security Group Program Manager