Microsoft's Security Development Lifecycle

Microsoft has recently released an update to their Security Development Lifecycle meant to address the need for security in the agile development process. The document defines Microsoft's process, which is termed Secure by Design, Secure by Default, Secure in Deployment, and Communications (or SD3+C). The section below describes the list of products and services that are required to adopt the SDL process. This seems to cover basically every piece of software that Microsoft makes.
What Products and Services Are Required to Adopt the SDL Process?
  • Any software release that is commonly used or deployed within any organization, such as a business organization or a government or nonprofit agency.
  • Any software release that regularly stores, processes, or communicates PII or other sensitive information. Examples include financial or medical information.
  • Any software product or service that targets or is attractive to children 13 years old or younger.
  • Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:
    • Always online. Services provided by a product that involve a presence on the Internet (for example, Windows® Messenger).
    • Designed to be online. Browser or mail applications that expose Internet functionality (for example, Microsoft Office Outlook® or Microsoft Internet Explorer®).
    • Exposed online. Components that are routinely accessible through other products that interact with the Internet (for example, Microsoft ActiveX® controls or PC–based games with multiplayer online support).
  • Any software release that automatically downloads updates.
  • Any software release that accepts or processes data from an unauthenticated source, including:
    • Callable interfaces that “listen.”
    • Functionality that parses any unprotected file types that should be limited to system administrators.
    • Any release that contains ActiveX controls.
    • Any release that contains COM controls.

Src: Microsoft's Security Development Lifecycle

No comments: