Microsoft paper on their Security Development Lifecycle (SDL)

["Kenneth R. van Wyk" <Ken () KRvW com>]

FYI, Steve Lipner and Michael Howard have put out a paper describing 
Microsoft's Security Development Lifecycle (SDL).  The full paper can be 
found at: 
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

You can find the abstract below as well.  Enjoy.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


Abstract: This paper discusses the Trustworthy Computing Security Development 
Lifecycle (or SDL), a process that Microsoft has adopted for the development 
of software that needs to withstand malicious attack. The process encompasses 
the addition of a series of security-focused activities and deliverables to 
each of the phases of Microsoft's software development process. These 
activities and deliverables include the development of threat models during 
software design, the use of static analysis code-scanning tools during 
implementation, and the conduct of code reviews and security testing during a 
focused "security push". Before software subject to the SDL can be released, 
it must undergo a Final Security Review by a team independent from its 
development group. When compared to software that has not been subject to the 
SDL, software that has undergone the SDL has experienced a significantly 
reduced rate of external discovery of security vulnerabilities. This paper 
describes the SDL and discusses experience with its implementation across 
Microsoft software. (19 printed pages)