The SDL Chronicles: Diverse Companies and Industries Share the ROI of Security Development Processes

I’m happy to announce that we have now released The SDL Chronicles.  We have been working with many outside institutions to help document their secure application development journey and what they learned.  Together, these stories make up The SDL Chronicles.  It is really interesting to me to see all these stories collectively rather than as individual pieces.  It is much easier now to see the similarities in what all of these institutions underwent in understanding the new challenging threat landscape. They then built consensus for not just doing the “quick fix” but for solving the problem systemically through a cultural shift. From this effort they were able to realize not only the benefits of enhanced security but also reaping direct benefits for doing the right thing in terms of more productivity and an excellent ROI.  All of these stories conclusively show that process and culture matters and while it may take some time and resources the net result is worth the investment.

The Chronicles include stories from groups as diverse as MidAmerican Energy, the State of India, Itron and Good Harbor Consulting giving us a comprehensive view across different scenarios but with many common themes.  These institutions, who implemented the SDL, have all leveraged the guidance and tools supplied freely by Microsoft.  Microsoft’s experience has allowed them to get a head start on their own program.  That is one of the important reasons why we put these stories together: to help you jumpstart a program in your institution by showing how it can be done and the kinds of results that can be realized.  The Security Development Lifecycle helps unite diverse groups in a common process and framework to work more efficiently and to focus resources on the most important objectives.  It is also very interesting to see how the SDL is being extended by Itron in the case of low level hardware design and by the government of India in helping train their forensic police forces.  The SDL has grown and adapted to fit the requirements of not only Microsoft but needs as disparate as low level hardware design and forensic police work.

We hope you enjoy reading the Chronicles and come away with your own powerful lessons from these collective stories.  Please share your thoughts and experiences with us.

About the Author

Trustworthy Computing, Microsoft

Douglas Cavit helps protect and secure global critical information infrastructure through technology innovation and collaborative efforts with others in industry and government. Specifically, he drives forward the SDL process as a methodology to improve development and implementation of technology in Read more »

Join the conversation

  1. Anonymous

    This happening document describes how Itron adopted the Microsoft Security Development Lifecycle (SDL) to manage Someone Make of Standards and Technology recommended security guidelines for Smart Grid Cyber Security. It also describes how Itron used the principles of the SDL not only in their application security but also in the component design of their <a href='' System</a> products.


    Thanks for letting us know!

Comments are closed.