Security Development Lifecycle Gets an Agile Update

Microsoft on Monday released version 4 of its Security Development Lifecycle (SDL) initiative, a set of software development guidelines intended to improve application security. SDL version 4.1a specifically targets agile development scenarios, which Microsoft says places unique demands on the code security process.

SDL 4.1a documentation is available for download from the Microsoft Download Center Web site.

Established in 2004 as part of Redmond's Trustworthy Computing initiative, SDL was implemented to ensure that Microsoft's internal product teams conformed to rigorous best security practices when planning, writing and testing code improvements to all Microsoft software products. The program was established after a series of damaging, widespread attacks exploited flaws in Microsoft applications, including SQL Server, Internet Information Server, Office and the various Windows operating systems.

In the latest version of the SDL document, Microsoft describes the SDL as "a holistic and practical approach... that introduces security and privacy early and throughout all phases of the development process." SDL 4.1a targets challenges that arise when agile teams, aligned around weekly sprints and a highly iterative dev process, try to implement formal SDL practices.

"As an increasing number of organizations adopt the Agile development process for some or all of their development projects, Microsoft has evolved its SDL process to be effective in this accelerated development model," said David Ladd, principal security program manager of Microsoft’s Security Development Lifecycle team. "A well-managed software security program is a good investment at any time and can help minimize ongoing security-related maintenance costs while providing customers with a better security experience."

SDL 4.1a was on display at the Microsoft Tech-Ed Europe conference in Berlin, Germany, this week. Microsoft SDL Team Senior Security Program Manager Bryan Sullivan on Monday gave a presentation titled SDL-Agile: Microsoft's Approach to Security for Agile Products.

Sullivan in his presentation synopsis wrote that agile dev teams have struggled to implement SDL, because activities like threat modeling and security incident response planning add overhead that can overwhelm agile processes.

The Trustworthy Computing group at Microsoft also updated security guidance around cloud computing, in the form of a whitepaper titled “Security Considerations for Client and Cloud Applications.” That whitepaper is available for download here.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.

comments powered by Disqus


  • What's New in TypeScript 5.5, Now Generally Available

    Microsoft shipped the latest iteration of its type-infused superset of JavaScript, TypeScript 5.5, introducing inferred type predicates, control flow narrowing, JSDoc @import and other enhancements.

  • GitHub Copilot for Azure Gets Preview Glitches

    This reporter, recently accepted to preview GitHub Copilot for Azure, has thus far found the tool to be, well, glitchy.

  • New .NET 9 Templates for Blazor Hybrid, .NET MAUI

    Microsoft's fifth preview of .NET 9 nods at AI development while also introducing new templates for some of the more popular project types, including Blazor Hybrid and .NET MAUI.

  • What's Next for ASP.NET Core and Blazor

    Since its inception as an intriguing experiment in leveraging WebAssembly to enable dynamic web development with C#, Blazor has evolved into a mature, fully featured framework. Integral to the ASP.NET Core ecosystem, Blazor offers developers a unique combination of server-side rendering and rich client-side interactivity.

  • Nearest Centroid Classification for Numeric Data Using C#

    Here's a complete end-to-end demo of what Dr. James McCaffrey of Microsoft Research says is arguably the simplest possible classification technique.

Subscribe on YouTube