The Trustworthy Computing Security Development Lifecycle Steve Lipner Security Engineering and Communications Security Business and Technology Unit Microsoft Corporation 1 Microsoft Way Redmond WA 98052 the SDL and discusses experience with its implementation across a range of Microsoft software Abstract This paper discusses the Trustworthy Computing Security Development Lifecycle or simply the SDL a process that Microsoft has adopted for the development of software that needs to withstand malicious attack The process encompasses the addition of a series of securityfocused activities and deliverables to each of the phases of Microsoft s software development process These activities and deliverables include the development of threat models during software design the use of static analysis code scanning tools during implementation and the conduct of code reviews and security testing during a focused security push Before software subject to the SDL can be released it must undergo a Final Security Review by a team independent from its development group When compared to software that has not been subject to the SDL software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities This paper describes M0 M1 M2 1 Introduction It is imperative that all software vendors address security threats Security is a core requirement for software vendors driven by market forces the need to protect critical infrastructures and the need to build and preserve widespread trust in computing A major challenge for all software vendors is to create more secure software that requires less updating through patches and less burdensome security management For the software industry the key to meeting today s demand for improved security is to implement repeatable processes that reliably deliver measurably improved security Therefore software vendors must transition to a more stringent software development process that focuses to a greater extent on security Such a process is M3 M4 M5 Requirements Design Implementation Verification Release Main Deliverables Vision Memo Main Deliverables Design spec Main Deliverables Feature and platform code Main Deliverables Beta Main Deliverables Final Code Complete Release Candidate RTM RTW Figure 1 Baseline development process intended to minimize the number of security vulnerabilities extant in the design coding and documentation and to detect and remove those vulnerabilities as early in the development lifecycle as possible The need for such a process is greatest for enterprise and consumer software that is likely to be used to process inputs received from the Internet to control critical systems likely to be attacked or to process personally identifiable information There are three facets to building more secure software repeatable process engineer education and metrics and accountability This document focuses on the repeatable process aspect of the SDL although it does discuss engineer education and provide some overall metrics that show the impact to date of application of a subset of the SDL process improvements is to reduce the quantity and severity of security vulnerabilities in software used by customers In this document the modified software development process which is currently being implemented at Microsoft is referred to as the Trustworthy Computing Software Development Lifecycle or simply the SDL Microsoft experience is that the security team must be available for frequent interactions during software design and development and must be trusted with sensitive technical and business information For these reasons the preferred solution is to build a security team within the software development organization although it may be appropriate to engage consultants to help build and train the members of the team 1 1 If Microsoft s experience is a guide adoption of the SDL by other organizations should not add unreasonable costs to software development In Microsoft s experience the benefits of providing more secure software e g fewer patches more satisfied customers outweigh the costs The SDL involves modifying a software development organization s processes by integrating measures that lead to improved software security This document summarizes those measures and describes the way that they are integrated into a typical software development lifecycle The intention of these modifications is not to totally overhaul the process but rather to add welldefined security checkpoints and security deliverables This document assumes that there is a central group within the company or software development organization that drives the development and evolution of security best practices and process improvements serves as a source of expertise for the organization as a whole and performs a review the Final Security Review or FSR before software is released In Microsoft s experience the existence of such an organization is critical to successful implementation of the SDL as well as to improving software security While some organizations might consider having the central security team role performed by a contractor or consultant This paper describes the integration of a set of steps intended to improve software security into the software development process that is typically used by large software development organizations These steps have been designed and implemented by Microsoft as part of its Trustworthy Computing Initiative The goal of these The Baseline Process The generally accepted software development process at Microsoft follows roughly the flow shown in Figure 1 At a high level this process is typical of industry practice While Figure 1 shows five milestones and appears to suggest a waterfall development process the process is in fact a spiral Requirements and design are often revisited during implementation in response to changing market needs and to realities that arise during software implementation Furthermore the development process emphasizes the need to have running code at almost every point so each major milestone is in fact broken into the delivery of a series of builds that can be tested and used operationally by the development team on an ongoing basis 1 2 Security Development Lifecycle Overview Experience with the security of real world software has led to a set of high level principles for building more secure software Microsoft refers to these principles as SD3 C Secure by Design Secure by