Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Versions 2 See also 3 Further reading 4 External links

Microsoft Security Development Lifecycle

●Deutsch ●日本語 ●Português ●Русский ●中文 Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia (Redirected from Trustworthy Computing Security Development Lifecycle)

The Microsoft Security Development Lifecycle (SDL) is the approach Microsoft uses to integrate security into DevOps processes (sometimes called a DevSecOps approach). You can use this SDL guidance and documentation to adapt this approach and practices to your organization.

The practices described in the SDL approach can be applied to all types of software development and all platforms from classic waterfall through to modern DevOps approaches and can be generally applied across:

Software – whether you are developing software code for firmware, AI applications, operating systems, drivers, IoT Devices, mobile device apps, web services, plug-ins or applets, hardware microcode, low-code/no-code apps, or other software formats. Note that most practices in the SDL are applicable to secure computer hardware development as well.
Platforms – whether the software is running on a ‘serverless’ platform approach, on an on-premises server, a mobile device, a cloud hosted VM, a user endpoint, as part of a Software as a Service (SaaS) application, a cloud edge device, an IoT device, or anywhere else.

The SDL recommends 10 security practices to incorporate into your development workflows. Applying the 10 security practices of SDL is an ongoing process of improvement so a key recommendation is to begin from some point and keep enhancing as you proceed. This continuous process involves changes to culture, strategy, processes, and technical controls as you embed security skills and practices into DevOps workflows.

The 10 SDL practices are:

Establish security standards, metrics, and governance
Require use of proven security features, languages, and frameworks
Perform security design review and threat modeling
Define and use cryptography standards
Secure the software supply chain
Secure the engineering environment
Perform security testing
Ensure operational platform security
Implement security monitoring and response
Provide security training

Versions[edit]

Version	Release date	Link
1	January 2004	Unreleased
2	July 2004	Unreleased
2.1	January 2005	Unreleased
2.2	July 2005	Unreleased
3	January 2006	Unreleased
3.2	2008-04-15	http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24308
4.1	2009-06-01	http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15526
4.1a	2010-04-15	http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17701
5	2010-05-11	http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12285
5.2	2012-05-23	http://www.microsoft.com/en-us/download/details.aspx?id=29884
6	2024-05-21	https://www.microsoft.com/securityengineering/sdl