Security Development Lifecycle Gets an Agile Update
Microsoft on Monday released version 4 of its Security Development Lifecycle (SDL) initiative, a set of software development guidelines intended to improve application security. SDL version 4.1a specifically targets agile development scenarios, which Microsoft says places unique demands on the code security process.
SDL 4.1a documentation is available for download from the Microsoft Download Center Web site.
Established in 2004 as part of Redmond's Trustworthy Computing initiative, SDL was implemented to ensure that Microsoft's internal product teams conformed to rigorous best security practices when planning, writing and testing code improvements to all Microsoft software products. The program was established after a series of damaging, widespread attacks exploited flaws in Microsoft applications, including SQL Server, Internet Information Server, Office and the various Windows operating systems.
In the latest version of the SDL document, Microsoft describes the SDL as "a holistic and practical approach... that introduces security and privacy early and throughout all phases of the development process." SDL 4.1a targets challenges that arise when agile teams, aligned around weekly sprints and a highly iterative dev process, try to implement formal SDL practices.
"As an increasing number of organizations adopt the Agile development process for some or all of their development projects, Microsoft has evolved its SDL process to be effective in this accelerated development model," said David Ladd, principal security program manager of Microsoft’s Security Development Lifecycle team. "A well-managed software security program is a good investment at any time and can help minimize ongoing security-related maintenance costs while providing customers with a better security experience."
SDL 4.1a was on display at the Microsoft Tech-Ed Europe conference in Berlin, Germany, this week. Microsoft SDL Team Senior Security Program Manager Bryan Sullivan on Monday gave a presentation titled SDL-Agile: Microsoft's Approach to Security for Agile Products.
Sullivan in his presentation synopsis wrote that agile dev teams have struggled to implement SDL, because activities like threat modeling and security incident response planning add overhead that can overwhelm agile processes.
The Trustworthy Computing group at Microsoft also updated security guidance around cloud computing, in the form of a whitepaper titled “Security Considerations for Client and Cloud Applications.” That whitepaper is available for download here.
Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.