By Greg DeMichillie [bio]
Posted: Feb. 20, 2006

The following is a sidebar accompanying an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available.

As a key part of its Trustworthy Computing Initiative, Microsoft reassessed and updated each phase of its internal development life-cycle to add security-focused activities and deliverables.

These activities and deliverables, collectively known as the Security Development Lifecycle (SDL) include the following:

• Developing threat models early in the process to ensure the product team understands potential attack vectors, characterizes the security of their features, and determines threats early so that they can be mitigated during design, coding, and testing phases
• Using static analysis code-scanning tools (such as PREfast) during development and testing to help find possible defects in the product's source code, including buffer overflows, which are a common attack vector exploited by malicious code
• Conducting code reviews and security testing at various phases of product development
• Subjecting products to a final security review by a team independent from the development group.

Three products, Visual Studio 2005, SQL Server 2005, and BizTalk Server 2006 Beta 2, all of which shipped in Nov. 2005, used the SDL throughout their lifecycle from design to release. All new major enterprise products and products for the Internet, such as Internet Explorer and the Internet Information Service, must use the SDL process.

Although it is still collecting data, Microsoft says that the early quality and security metrics for products that have used the SDL are encouraging. For example, Windows Server 2003, which implemented large portions of the SDL, has had substantially fewer security bulletins issued within the first year of its release.