Security Development Lifecycle Gets an Agile Update

Microsoft on Monday released version 4 of its Security Development Lifecycle (SDL) initiative, a set of software development guidelines intended to improve application security. SDL version 4.1a specifically targets agile development scenarios, which Microsoft says places unique demands on the code security process.

SDL 4.1a documentation is available for download from the Microsoft Download Center Web site.

Established in 2004 as part of Redmond's Trustworthy Computing initiative, SDL was implemented to ensure that Microsoft's internal product teams conformed to rigorous best security practices when planning, writing and testing code improvements to all Microsoft software products. The program was established after a series of damaging, widespread attacks exploited flaws in Microsoft applications, including SQL Server, Internet Information Server, Office and the various Windows operating systems.

In the latest version of the SDL document, Microsoft describes the SDL as "a holistic and practical approach... that introduces security and privacy early and throughout all phases of the development process." SDL 4.1a targets challenges that arise when agile teams, aligned around weekly sprints and a highly iterative dev process, try to implement formal SDL practices.

"As an increasing number of organizations adopt the Agile development process for some or all of their development projects, Microsoft has evolved its SDL process to be effective in this accelerated development model," said David Ladd, principal security program manager of Microsoft’s Security Development Lifecycle team. "A well-managed software security program is a good investment at any time and can help minimize ongoing security-related maintenance costs while providing customers with a better security experience."

SDL 4.1a was on display at the Microsoft Tech-Ed Europe conference in Berlin, Germany, this week. Microsoft SDL Team Senior Security Program Manager Bryan Sullivan on Monday gave a presentation titled SDL-Agile: Microsoft's Approach to Security for Agile Products.

Sullivan in his presentation synopsis wrote that agile dev teams have struggled to implement SDL, because activities like threat modeling and security incident response planning add overhead that can overwhelm agile processes.

The Trustworthy Computing group at Microsoft also updated security guidance around cloud computing, in the form of a whitepaper titled “Security Considerations for Client and Cloud Applications.” That whitepaper is available for download here.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.

comments powered by Disqus


  • .NET Core Ranks High Among Frameworks in New Dev Survey

    .NET Core placed high in a web-dominated ranking of development frameworks published by CodinGame, which provides a tech hiring platform.

  • Here's a One-Stop Shop for .NET 5 Improvements

    Culled from reams of Microsoft documentation, here's a high-level summary of what's new for performance, networking, diagnostics and more, along with links to the nitty-gritty details for those wanting to dig in more.

  • Azure SQL Database Ranked Among Top 3 Databases of 2020

    Microsoft touted the inclusion of Azure SQL Database among the top three databases of 2020 in a popularity ranking by DB-Engines, which collects and manages information about database management systems, updating its lists monthly.

  • Time Tracker Says VS Code Is No. 1 Editor for Devs, Some Working 15+ Hours Per Day

    WakaTime, which does time tracking for programmers, released data for 2020 showing that Visual Studio Code is by far the top editor/IDE used by its coders, some of whom are hacking away for more than 15 hours per day.

Upcoming Events