I’m starting to use the SDL, but how do I…?

Jeremy Dallman here with another release of free SDL documents. Today we are making available a library of templates to help you get started with the more thought-based SDL practices or activities.

One of the big questions we faced early at Microsoft and are now hearing again as more companies of all sizes start to adopt the SDL in their own organizations is “How do I [insert SDL practice or process activity].”  Most frequently, these questions are specifically talking about the SDL practices that cannot be addressed with tools and are more process-oriented or thought-based.

As these questions started coming in from other companies, we started digging into some of our internal archives for the documents we used early-on at Microsoft. Most of these documents have since been incorporated into web forms or our internal SDL management dashboards. However, we discovered that they served as very useful templates for other companies. Now we want to let other SDL organizations look at them and put them to good use as well!

Today, we are releasing a small library of templates for SDL practices that can help you address:

  • Defining Security Requirements
  • Creating a Security Bug Bar
  • Performing a Security Risk Assessment
  • Conducting a basic threat model (when not using the SDL Threat Modeling Tool or EOP game)
  • Managing SDL Exception Requests
  • Performing a Final Security Review

… as well as a .ZIP that contains all of the templates in a single package.

These documents are published under the same Creative Commons license as our other SDL documents. Please put them to use in their default form (without edits), as templates to modify/customize for your unique needs, or simply as a catalyst for brainstorming and creating your own documents. The goal is to help you accelerate implementation of the SDL practices and gather valuable security information about your projects.

We are glad to share these pieces of the Microsoft SDL with the ecosystem and look forward to hearing about how they were used in your own SDL projects.