SDL: Frequently Asked Questions

• What is the Security Development Lifecycle?

  The Security Development Lifecycle (SDL) is the industry-leading software security assurance process created by Microsoft. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. With attacks moving to the application layer, Microsoft is committed to supporting a more secure and trustworthy computing ecosystem by making SDL process guidance, tools and training more accessible to every developer. Adopting the SDL within your organisation can help to significantly reduce your chances of compromise by cybercrime threats.



• What are the impacts of cybercrime?

  Cybercrime is a huge market with serious financial implications for businesses everywhere:
  

  • A 2005 FBI survey estimated annual loss due to computer crime at $67.2 billion for U.S. organizations.
  • The estimated losses associated with identity theft in 2006 are $49.3 billion.
  • In a 2006 study, the Ponemon Institute, LLC found that the average cost a data breach rose in 2006 to $4.8 million, an increase of 30% percent from the previous year.



• What are my risks of an attack?

  • Every Company is a target - Contrary to what you might expect, the vast majority of vulnerabilities are found in software that is produced by smaller software vendors. Only 14% of vulnerabilities in 2007 were in software from the 5 largest SW vendors (Microsoft, Apple, Oracle, IBM and Cisco) (IBM x-force 2007 security report).
  • Applications, rather than operating systems, are the most significant target - No matter how good a job your IT team does in locking down vendor software, a poorly developed application can open the system wide to attack. You are not just a consumer of product security features, you are a full partner with Microsoft in the process of securing your applications and your customers' and/or company's sensitive data.
  • 94% of new vulnerabilities in the first half of 2008 were in applications, only 6% in Operating Systems (Microsoft SIR 2008).
  • 89% of all disclosed vulnerabilities in 2007 could be exploited remotely (IBM x-force 2007 security report).



• What is the Microsoft SDL Pro Network?

  The Microsoft SDL Pro Network is a group of security consultants and trainers from around the world that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Security Development Lifecycle (SDL), the industry-leading software security assurance process created by Microsoft and proven to be effective since 2004. The SDL Pro Network was created to address the challenges developers are facing with the increasing shift of attacks to the application layer. It is part of Microsoft's commitment to enable organizations outside the company to develop more secure applications through SDL technologies, prescriptive guidance and industry partnerships.



• What services does Microsoft SDL Pro Network offer me?

  The services offered by members closely follow the SDL, and were designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific offerings fall into the following capability areas:
  

  • Training, Policy and Organisational Capabilities - Including security training and general counsel on how to implement the SDL
  • Requirements and Design Services - Including risk analysis, functional requirements and threat modelling
  • Implementation Advice - Including use of safe APIs, code analysis and code review
  • Verification Services - Including black box security assessment, fuzz testing and web application scanning
  • Release and Response Services - Including Final Security Review (FSR), penetration testing, and response planning and execution



• Why should I use the services of the Microsoft SDL Pro Network?

  With personal information becoming a valuable commodity for criminals, cyber crime poses a significant threat to every company, large or small. In addition, attacks are clearly shifting up the stack to the application layer. Therefore, it has become more critical that software developers embed security and privacy into their software development process through the SDL. Benefits for development organizations include:
  

  • Reduce customer risk and improve customer trust by making software more inherently secure and protecting sensitive information.
  • Reduce the total cost of development by finding and eliminating vulnerabilities early in the design phase. According to NIST, eliminating vulnerabilities in design stage can cost 30 times less than fixing them post release (The National Institute of Standards and Technology).
  • Reduce the cost of ownership for customers by issuing less security patches, therefore lowering the cost of managing patches for your applications.



• What proves that SDL is effective?

  Flagship Microsoft products that were developed with the SDL show measurably reduced vulnerability counts after release, enhancing the security and privacy of the Microsoft platform to better protect Microsoft customers from malicious and costly attacks. Windows Vista, IE7 and SQL server 2005 are examples of flagship products whose vulnerability counts after release have significantly decreased.
  

  • 45% reduction of vulnerabilities for Windows Vista (66) vs. XP (119) in the 1st year after release
  • 91% reduction of vulnerabilities for SQL Server 2005 (3) vs. 2000 (34) in the 3 years after release
  • 35% reduction of vulnerabilities (65% in high severity) for IE7 (17) vs. IE6 (26) in 1st year

  Windows Vista, IE7 and SQL server 2005 beat the competition in minimizing vulnerability counts. More globally, Microsoft's share of the total newly disclosed vulnerabilities significantly decreased from 4.2% in H12007 (1st place) to 2.5% in H12008 (3rd place), according to the IBM X-Force 2007, 2008 security reports.



• Is the SDL applicable to small companies?

  Yes, the relevance of SDL is determined by the risk a company's software is exposed to, not its size. Microsoft makes available a range of documents, tools and now services such as the SDL Pro Network, which are designed to help companies of all sizes adopt the SDL in a gradual, practical and cost-effective manner. To this end, Microsoft has developed the SDL Optimization Model, which allows development organizations, both small and large, to assess where they are in terms of current secure development practices, define their goals and create a practical roadmap based on their unique resources and risk profile.



• What is Microsoft SDL Optimization Model?

  Microsoft SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security during development and create a vision and road map for reducing customer risk. In November 2008, the model will be freely available via a download on the MSDN Web site. The SDL Optimization model provides development organizations with a way to self-assess their current software development security practices and create a strategy for gradual improvement.



• What are the benefits of the Microsoft SDL Optimisation Model?

  There are three primary benefits of Microsoft SDL Optimization Model. First, it enables a development organization to assess their current state of security during development. It then helps to create a long-term plan to build and achieve security assurance in software through relevant, innovative and practical process guidance - something that can be hard to come by. Finally, it helps outline practical and cost-effective activities to progressively attain measurable security process improvements with realistic resources and timelines.



• Why did Microsoft decide to make SDL available to the industry at large?

  Microsoft is committed to protecting customers and enabling a more trusted computing experience - one of the ways to reach this goal is by sharing security and privacy expertise, guidance, technology and processes with the industry. The combination of Microsoft's experience and proven success with the SDL and the expertise of the program members, forms an excellent basis for helping development organisation outside of Microsoft to create more inherently secure applications.



• Who are the members of the Microsoft SDL Pro Network?

  The one-year pilot program consists of nine companies:
  
  • Next Generation Security Software Ltd. (NGSSoftware), London, United Kingdom
  • Cigital Inc., Dulles, Va.
  • IOActive Inc., Seattle, Wash.
  • iSEC Partners Inc., San Francisco, Calif.
  • Leviathan Security Group Inc. Westminster, Colo.
  • n.runs AG, Oberursel, Germany
  • Security Innovation Inc. Wilmington, Mass.
  • Security University Inc., Stamford, Conn.
  • Verizon Business, Basking Ridge, N.J.



• Can my company become a member of the Microsoft SDL Pro Network?

  The SDL Pro Network, which begins in November 2008, will run in pilot phase for the first year of operation, therefore membership is limited during this time. However, over the next year, Microsoft and the additional member companies will evaluate how to best expand the program to others in the industry. For updates or for general information on the SDL or related resources, please visit the SDL portal, http://www.microsoft.com/sdl.