The Security Development Lifecycle (SDL) is the industry-leading software security assurance process that was created by Microsoft in 2004. It has since led to measurable security improvements in numerous flagship products. Microsoft developed the SDL as part of their Trustworthy Computing Initiative, with the objective of producing more secure software that can withstand malicious attacks. The SDL requires security and privacy measures during each stage of a product's development and a final review before the software is released.
Why Organizations Use the SDL
Implementing the SDL can help companies protect themselves and their customers from threat-no company is free from modern attacks that increasingly target applications rather than operating systems. The SDL is an excellent tool to help prevent these costly attacks by mitigating risk through the integration of security and privacy practices in a product's development. Flagship Microsoft products that were developed with the SDL have experienced considerably lower vulnerability counts after their release.
About the Microsoft SDL Pro Network
The SDL Pro Network is comprised of industry-leading companies that specialize in application security and have extensive experience and knowledge of the Microsoft SDL in particular. The program is designed to make the SDL accessible to organizations outside of Microsoft.
IOActive's SDL integration service is designed to help organizations integrate security into all phases of the software development process. Our consultants work alongside an organization's project managers, security architects, and coders to identify efficient methods for integrating security into the overall development process. Covering the complete lifecycle of software development, from conception to deployment, IOActive:
- Reviews practices and tasks
- Provides strategic recommendations for the implementation of a security-focused development lifecycle
- Identifies opportunities to increase the effectiveness of risk management for the enterprise
As a pioneer member in this initiative, IOActive has extensive experience with and knowledge of the SDL. We offer best-of-breed services to help organizations implement the SDL in their environment and develop more secure code that includes:
- Training. We provide security training and advice on implementing the SDL in addition to exploring your company's organizational and policy capabilities.
- Requirements and Design. We can help you plan how security will be integrated into your software design by examining user requirements, industry standards, and threat models.
- Implementation. We will teach your developers how to perform a code analysis and review, and enforce the use of safe APIs.
- Verification. We can perform additional security code reviews alongside fuzzing and web application scanning.
- Release and Response. We will perform a final security review that includes response planning and execution to determine whether your software is ready for customer delivery.
For more information, visit the Microsoft Developer Network.