The document outlines Microsoft's Security Development Lifecycle (SDL), detailing its history, phases, and implementation practices aimed at integrating security into software development processes. Key components include threat modeling, security training, and the establishment of design, implementation, and verification protocols to ensure secure software releases. Resources and tools for SDL and threat modeling are provided to support developers and teams in improving security measures.

1. Microsoft Security Development
Lifecycle (SDL)
Razi Rais | Senior Software Engineer | Microsoft

2. Who am I?
https://razibinrais.com
www.linkedin.com/in/razirais
https://github.com/razi-rais

3. Tech Foundation User Group
 Founder
 Established in 2011
 IT Pros and Developers
 Open for all to join!
JOIN  https://www.meetup.com/techfoundation

4. Key Takeaways
 Understand SDL (Secure Development Lifecycle)
 Process & Practices needed for SDL
 Threat Modeling
 Q&A
 Slides  will be emailed to you!
 Reach out for full workshop!

5. History of SDL | Started with a memo!!

6. History of SDL at Microsoft
• Bill Gates writes
“Trustworthy
Computing” memo
early 2002
• “Windows security
push” for Windows
Server 2003
• Security push and
FSR (Final Security
Review) extended to
other products
• Microsoft Senior
Leadership Team
agrees to require
SDL for all
products that:
• Are exposed to
meaningful risk
and/or
• Are Process
sensitive data
• SDL is enhanced
• “Fuzz” testing
• Code analysis
• Crypto design
requirements
• Privacy
• Banned APIs
• and more…
• Windows Vista is
the first OS to
go through full
SDL cycle
• Optimize the process
through feedback,
analysis and
automation
• Evangelize
the SDL to the
software
development
community:
• SDL Process
Guidance
• SDL Optimization
Model
• SDL Pro Network
• SDL Threat Modeling
Tool
• SDL Process
Templates
2002-2003
2004
2005-2007
Now

7. SDL | Bigger Picture
Education Accountability
Administer and track
security training
Incident
Response
(MSRC)
Establish release criteria
and sign-off as part of FSR
Process
Guide product teams to
meet SDL requirements

8. Pre-SDL Requirements: Security Training
Requirements Design Implementation Verification Release Response
Assess organizational knowledge on security and privacy –
establish training program as necessary
 Establish training criteria
 Content covering secure design, development, test and
privacy
 Establish minimum training frequency
 Employees must attend n classes per year
 Establish minimum acceptable group training
thresholds
 Organizational training targets (e.g. 80% of all
technical personnel trained prior to product
RTM)

9. Phase One: Requirements
Opportunity to consider security at the outset of a project
Design Implementation Verification Release Response
 Security Advisor reviews product plan, makes
recommendations,
may set additional requirements
 Mandate the use of a bug tracking/job assignment
system
 Define and document security and privacy bug
bars
 Development team identifies security
and privacy requirements
 Development team identifies lead
security and privacy contacts
 Security Advisor assigned

10. SDL Security & Privacy Bug Bar
 Privacy bug bar sample 
https://docs.microsoft.com/en-us/previous-
versions/windows/desktop/cc307403(v=msdn.10)?r
edirectedfrom=MSDN
 Security Bug Bar  https://docs.microsoft.com/en-
us/previous-
versions/windows/desktop/cc307404(v=msdn.10)?r
edirectedfrom=MSDN

11. Phase Two: Design
 Identify design techniques (layering, managed code,
least privilege, attack surface minimization)
 Document attack surface and limit through default
settings
Define and document security architecture, identify security critical components
Implementation Verification Release Response
 Threat Modeling
 Systematic review of features and product
architecture from a security point of view
 Identify threats and mitigations
 Online services specific requirements

12. Phase Three: Implementation
Full spectrum review – used to determine processes, documentation
and tools necessary to ensure secure deployment and operation
Verification Release Response
 Specification of approved build tools and
options
 Static analysis (PREFix, /analyze (PREfast),
FXCop)
 Banned APIs
 Use of operating system “defense in depth”
protections
(NX, ASLR and HeapTermination)
 Online services specific requirements (e.g.,
Cross-site scripting ,
SQL Injection etc.)
 Consider other recommendations (e.g.,
Standard Annotation Language (SAL))

13. Phase Four: Verification
Started as early as possible – conducted after “code complete” stage
Release Response
 Start security response planning – including response
plans for vulnerability reports
 Re-evaluate attack surface
 Fuzz testing – files, installable controls and network
facing code
 Online services specific requirements
 Conduct “security push” (as necessary)
 Not a substitute for security work done during
development
 Code review
 Penetration testing and other security testing
 Review design and architecture in light of new
threats

14. Phase Five: Release – Response Plan
Creation of a clearly defined support policy – consistent
with MS corporate policies
Response
 Provide Software Security Incident
Response Plan (SSIRP)
 Identify contacts for MSRC and
resources to respond to events
 24x7x365 contact information for 3-5
engineering, 3-5 marketing, and 1-2
management (PUM and higher)
individuals
 Ensure ability to service all code including “out
of band” releases and all licensed 3rd party
code.
 Complete final signoffs on Checkpoint Express –
validating security, privacy and corporate
compliance policies

15. Post-SDL Requirement: Response
“Plan the work, work the plan…”
 Execution on response tasks outlined during
Security Response Planning and Release Phases

16. SDL Guidance for Agile Methodologies
 Requirements defined by frequency, not
phase
 Every-Sprint (most critical)
 One-Time (non-repeating)
 Bucket (all others)

17. Alert: SDL Requires Process Improvement!
 Simply “looking for bugs” doesn’t make
software secure
 Must reduce the chance vulnerabilities enter
into design and code
 Requires executive commitment
 Requires ongoing process improvement
 Requires education & training
 Requires tools and automation
 Requires incentives and consequences

18. Resources
 Simplified Implementation of Microsoft SDL 
(Document & Planning
Sheet)https://www.microsoft.com/en-
us/download/details.aspx?id=12379

19. Resources
 Practical Guide to A Practical Guide to Designing
Secure Health Solutions Using Microsoft Azure 
https://aka.ms/azureindustrysecurity

20. Resources
 Microsoft SDL Cryptographic
Recommendations
http://download.microsoft.com/download/6/3/A/63AFA3DF
-BB84-4B38-8704-
B27605B99DA7/Microsoft%20SDL%20Cryptographic%20Re
commendations.pdf

21. Resources
 Manage the Security Risk of Using
Third-Party Components 
https://safecode.org/wp-
content/uploads/2017/05/SAFECode
_TPC_Whitepaper.pdf

22. Resources
 Microsoft SDL Tools 
https://www.microsoft.com/en-
us/securityengineering/sdl/resources

23. Microsoft SDL Home
https://www.microsoft.com/sdl

24. Threat Modeling
 Why?
 Find security and privacy problems when
there’s time to fix them
 Security Development Lifecycle (SDL)
requirement
 Deliver more secure products
 Who?
 The bad guys will do a good job of it!
 Maybe you will…your choice
 What?
 A repeatable process to find and address threats
to your product
 When?
 The earlier you start, the more time to plan and
fix
 Worst case is when you’re trying to ship/release

25. Example | Architecture Diagram

26. Example | Build Threat Model

27. Example | Review Threats

28. Example | Review Threats

29. Resources
 Microsoft Threat Modeling Tool: https://www.microsoft.com/en-
us/securityengineering/sdl/threatmodeling
 Microsoft Secure Development Lifecycle: https://www.microsoft.com/en-
us/securityengineering/sdl
 Threat Modeling Course: https://www.linkedin.com/learning/learning-threat-modeling-for-
security-professionals/
 Getting Started Guide: https://docs.microsoft.com/en-us/azure/security/develop/threat-
modeling-tool-getting-started
 Introduction to SDL: https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-
0B865A79B18C/Introduction%20to%20the%20Microsoft%20Security%20Development%20Lifecycle%20
(SDL).ppsx