Security Development Lifecycle Gets an Agile Update

Microsoft on Monday released version 4 of its Security Development Lifecycle (SDL) initiative, a set of software development guidelines intended to improve application security. SDL version 4.1a specifically targets agile development scenarios, which Microsoft says places unique demands on the code security process.

SDL 4.1a documentation is available for download from the Microsoft Download Center Web site.

Established in 2004 as part of Redmond's Trustworthy Computing initiative, SDL was implemented to ensure that Microsoft's internal product teams conformed to rigorous best security practices when planning, writing and testing code improvements to all Microsoft software products. The program was established after a series of damaging, widespread attacks exploited flaws in Microsoft applications, including SQL Server, Internet Information Server, Office and the various Windows operating systems.

In the latest version of the SDL document, Microsoft describes the SDL as "a holistic and practical approach... that introduces security and privacy early and throughout all phases of the development process." SDL 4.1a targets challenges that arise when agile teams, aligned around weekly sprints and a highly iterative dev process, try to implement formal SDL practices.

"As an increasing number of organizations adopt the Agile development process for some or all of their development projects, Microsoft has evolved its SDL process to be effective in this accelerated development model," said David Ladd, principal security program manager of Microsoft’s Security Development Lifecycle team. "A well-managed software security program is a good investment at any time and can help minimize ongoing security-related maintenance costs while providing customers with a better security experience."

SDL 4.1a was on display at the Microsoft Tech-Ed Europe conference in Berlin, Germany, this week. Microsoft SDL Team Senior Security Program Manager Bryan Sullivan on Monday gave a presentation titled SDL-Agile: Microsoft's Approach to Security for Agile Products.

Sullivan in his presentation synopsis wrote that agile dev teams have struggled to implement SDL, because activities like threat modeling and security incident response planning add overhead that can overwhelm agile processes.

The Trustworthy Computing group at Microsoft also updated security guidance around cloud computing, in the form of a whitepaper titled “Security Considerations for Client and Cloud Applications.” That whitepaper is available for download here.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.

comments powered by Disqus


  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

  • Speed Lines Graphic

    New for Blazor: Azure Static Web Apps Support

    With Blazor taking the .NET web development world by storm, one of the first announcements during Microsoft's Ignite 2020 developer/IT event was its new support in Azure Static Web Apps.

  • Entity Framework Core 5 RC1 Is Feature Complete, Ready for Production

    The first release candidate for Entity Framework 5 -- Microsoft's object-database mapper for .NET -- has shipped with a go live license, ready for production.

Upcoming Events