Security Development Lifecycle (SDL) for Agile Development

Microsoft adapts SDL for modern, semi-structured, and popular software development processes

While all of the recent Microsoft buzz centers on Windows 7, the company made a small but important announcement this week. At TechEd Europe in Germany, Microsoft announced that it has adapted its SDL model to accommodate Agile software development. This announcement needs a bit of clarification. First, Agile software development is an interative software development model based upon teamwork, cooperation, and communication around specific software functionality. The goal here is rapid application development of specific "chunks" of software functionality rather than the massive, multi-phased software development models of the past. These principles were adapted from successful manufacturing processes such as Six Sigma and the Toyota 5S methodology. Since its inception in 2001, the Agile development model has gained popularity as it fits well with today's web-based applications. It is worth noting however that there is no single Agile development model. This makes sense as Agile's focus on teamwork and communication leaves plenty of room for improvisation. While Agile development has demonstrated its ROI value, the emphasis was always on rapid application and not necessarily security. Recognizing this deficiency, Microsoft jumped in by adapting its SDL model for Agile. Since the Agile model does not have distinct phases and features rapid release cycles, Microsoft broke its process-oriented SDL into "buckets" of activities. Some of these activities must be done for each Agile project (ex. threat modeling), some must be done once (ex. update compilers), and some must be done on a case-by-case basis (ex. Fuzz testing). Microsoft produced a number of tools and papers to help developers align their Agile development processes to each of these buckets. Ultimately, all of the goodness of SDL remains intact but developers can customize it for their own needs. This may seem deep in the technical weeds, but I believe this is an important announcement because: 1. Agile development is widespread. Microsoft uses it internally so aligning Agile with SDL was an important corporate goal. 2. Software security is generally very poor -- especially around web applications. 3. Software assurance is at the heart of many cybersecurity improvement plans such as the Cyber Supply Chain Assurance Model being studied and promoted by SAIC and It is also worth mentioning that SDL is not a profit center for Microsoft. The SDL model creation, development, support, and distribution costs Microsoft a lot of dough each year. I hope this announcement gets the attention it deserves, especially with Computer Science programs, developer communities, security professionals, and public policy makers. Software security is everybody's business.

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)