Security Development Lifecycle

Trustworthy Computing Security Development Lifecycle (abbreviated SDL , German development cycle for trustworthy computer use ) is a concept published by Microsoft in 2004 for the development of secure software and is aimed at software developers who develop software that has to withstand malicious attacks. Very simply, these are do's and don'ts, tips and tools. It was first used in the development of Windows Vista .

SDL is still involved in software development at Microsoft; In 2011, the company's Trustworthy Computing Group took stock of the results achieved with this method to date.

Principles

Microsoft assumes the following principles at SDL:

Secure by design: The security issues of the software should already be addressed in the planning phase.
Secure by default: Despite careful planning, a developer should assume the existence of security holes . For this reason, the default settings (e.g. required privileges) should be set as low as possible and rarely used features should be deactivated by default.
Secure in deployment: The documentation and tools supplied are intended to support the administrators in setting up the software as optimally as possible.
Communications (software): Developers should deal openly with possible security gaps and provide end users with patches or workarounds quickly .
Privacy by design: Data protection concerns of the software should be taken into account as early as the planning phase.
Privacy by default: The software's standard settings should be chosen conservatively.
Privacy in deployment: Data protection mechanisms should be disclosed to enable administrators to implement the company's internal data protection guidelines.
Communications (privacy): Data protection declarations should be formulated transparently. A data protection incident team should be established.

The SDL process

The list below is taken from Microsoft's documentation:

Requirements phase: Identification of the security requirements and protection goals of the software to be created and its interfaces
Design phase: identification of the components that are fundamental to safety; Risk modeling
Implementation: Use of tools and test methods as well as code reviews
Review phase: beta test with users, systematic search for security flaws
Release: Is the software really ready for delivery?
Creation of the possibility to react quickly to discovered errors and weak points

Individual evidence

↑ Steve Lipner and Michael Howard: Development Cycle for Secure Software . In: MSDN. May 30, 2005.

↑ Description of the improvements in Windows Vista by using the Security Development Lifecycle

↑ http://www.microsoft.com/en-us/download/details.aspx?id=14107

↑ http://heise.de/-1219377

↑ Microsoft Security Development Lifecycle. Retrieved October 22, 2018 (American English).

Web links

Microsoft Security Development Lifecycle
A Look Inside the Security Development Lifecycle at Microsoft : Michael Howard in MSDN Magazine, 11/2005
The Microsoft SDL : Niklaus Schild in heise Developer, August 19, 2009
SDL for dummies : Uli Ries in heise Security, February 2, 2010
Microsoft presents SDL for agile software development : Daniel Bachfeld in heise Security, November 10, 2009

[1] Steve Lipner and Michael Howard: Development Cycle for Secure Software . In: MSDN. May 30, 2005.

[2] Description of the improvements in Windows Vista by using the Security Development Lifecycle

[3] ttp://www.microsoft.com/en-us/download/details.aspx?id=14107

[4] ttp://heise.de/-1219377

[5] Microsoft Security Development Lifecycle. Retrieved October 22, 2018 (American English).