Microsoft Security Development Lifecycle (SDL)

We all know that at one time in the past that Microsoft was considered the laughing stock of computer and software security. While it’s debatable that Microsoft was really much worse than any other software vendor, the fact is that Microsoft’s large installed base made it the focal point for hackers and malware. Exploits at the time were high viability events that got a lot of media coverage.

That’s seems like a hundred years ago to most of us in the Microsoft security community. While security is always a work in progress, Microsoft has gone from what many thought of as the least secure software company in the world, to what many consider the most secure software company in the world.

It didn’t happen overnight, and it wasn’t magic or the “power of money”. What enabled Microsoft to turn so quickly from unsecure to secure was Bill Gates’ mandate that attention to secure software development would be job one and then the implementation of the Microsoft Security Development Lifecycle or SDL.

The SDL provides processes and procedures that programmers and application developers can use to insure that software is built with security in mind. Security isn’t “bolted on” afterward. Instead, security considerations, threat modeling and fuzz testing is done throughout development so as to minimize the risk of “surprises”.

The SDL is part of all software development at Microsoft now and the results of it’s implementation are astounding. All you need to do is check the reductions in security issues with Windows Vista versus previous Windows client versions or Windows Server 2008 compared to previous Windows Server versions.

Microsoft has put together a new landing page for the SDL. You can find it at and get more information about the SDL. Then, when you’re considering purchasing software from Microsoft or another vendor, ask the other vendor for information on their SDL and details on how they implement it, like the information on the Microsoft SDL page.



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top