It’s Really Only 16 Security Practices – Implementation Guidance Included!

[update 3/22/10: The Excel spreadsheet referenced in this post is now available for download:]


Hey everyone, Jeremy Dallman here with a new way to sort and view the SDL practices and implementation guidance. In April 2010, we worked closely with the Archer Corporation (since acquired by EMC) to integrate the Microsoft SDL into the RSA Archer eGRC Platform as an Authoritative Source. This integration allows any company using the RSA Archer eGRC Platform to download the Microsoft SDL Authoritative Source and manage their SDL efforts in parallel with any compliance activities they are already managing using the RSA Archer eGRC.

When we worked with Archer to integrate the SDL into their framework, the SDL practices had to be broken into a new taxonomy that would fit into their task-oriented model. In keeping with the Simplified Implementation of the SDL, the goal was to do more than just list “what security activities you should be doing” – we wanted actionable implementation guidance. To accomplish this, we assigned a numeric designation to each SDL Phase and Practice then filled in the supporting guidance for each activity in the Implementation Details section. These Implementation Details were copied directly from the Simplified SDL paper to retain the platform-independent nature of the SDL. In the practices where platform-specific guidance is widely used, we chose to appended that information as Additional Notes.

We have found that this task-oriented structure, built in a simple Excel spreadsheet, has become useful in some of our new documentation. We thought it might also be useful to share that simple Excel spreadsheet to simplify importing and adopting the 16 security practices of the SDL in your organization.


[The Microsoft Simplified SDL Practices spreadsheet is attached at the bottom of this blog post]

I would encourage you to use this spreadsheet alongside the Simplified SDL paper to find what best fits your organization or work-flow management process. If your task management system allows you to import from Excel, it might be as easy as importing the spreadsheet and assigning tasks.

However you choose to use this new way to parse the SDL Practices, I hope it will help you better understand the SDL for what it is – a set of 16 security practices with clear implementation guidance that can be spread across your software development lifecycle to improve the security of your applications.

If you have questions about the Simplified SDL or this simple spreadsheet view into the Simplfied SDL Practices, please don’t hesitate to shoot them our way either in the comments section or on the SDL Forums on MSDN.

Join the conversation


    good one

Comments are closed.