Now available: Microsoft SDL version 5

Jeremy Dallman here to announce that we are releasing the latest version of the Microsoft Security Development Lifecycle process guidance – Version 5 (SDLv5). It is now available for download as well as updated in the MSDN library.


We have released incremental updates to the SDL process guidance document since 2008 in an effort to provide transparency into how we implement the SDL at Microsoft. If you are just getting started on investigating or implementing the SDL, we would encourage you to start with the SDL Optimization Model and the Simplified Implementation of the SDL paper and then use the SDLv5 guidance as an additional reference tool as needed for your own implementation.


What is new in the SDLv5 documentation?


We made a handful of significant changes in SDLv5 documentation. I summarize them below, but also encourage you to read the document for the detailed notes related to each (search in document for “New for SDL 5.0” and “Updated for SDL 5.0”).


1.       SDL for Agile included: The largest change in SDLv5 is the inclusion of SDL for Agile Development as an Addendum at the end. We took the SDL-Agile guidance that was published in November 2009 and included it in the parent SDL document to make it a one-stop resource.


2.       New and updated security requirements and recommendations


Requirements Phase (1 new)


New Requirements


·         Include third-party code licensing security requirements in all new contracts.


Design Phase (3 new)


New Requirements


·         Hardware: Perform hardware security design review.


·         Server/SaaS: Perform integration-points security design review.


·         Web application: Implement strong log-out and session management


Implementation Phase (10 new, 1 update)


New/Updated Requirements


·         Use Secure methods to access databases


·         Avoid LINQ ExecuteQuery


·         Avoid EXEC in stored procedures


·         Update: new minimum required versions for code analysis tools (also see Appendix E)


New Recommendations


·         Web applications: Use HTTPOnly cookies.


·         Implement reflection and authentication relay defense.


·         NULL out free’d memory pointers in new code


·         All sample code should be SDL compliant


·         Internet Explorer 8 MIME handling: HTTP response sniffing opt-out


·         Lock ActiveX controls to a defined set of domains


·         Verify use of ClickJacking defenses in code


Verification Phase (2 new, 2 updates)


New/Updated Requirements


·         Network fuzzing: Any new network parsers must be able to accept 100,000 malformed packets without failure


·         Update: Web applications: Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute against CSRF attacks


·         Update: Do not use banned APIs in old or new code


New Recommendations


·         Web applications: Use a passive security auditor


Feel free to email ask questions via the email feature in the blog or the comments section below.