This post is authored by Andrew Marshall, Principal Security Program Manager, Security Engineering.
For well over a decade, Microsoft has been committed to designing, developing, and testing software in a secure and trustworthy manner and sharing the Security Development Lifecyle (SDL) methodology and resources with the software development community. We are continuing to make investments into the evolution of the SDL and resources we provide to enable the ecosystem to adapt to new technology and the ever-changing threat landscape.
Today, we’re announcing an important new round of updates and technical content additions to the SDL website. These updates are rolled out to provide up to date guidance and best practices that evolve with the Security Development Lifecycle. We’ve made updates to security tooling guidance, compiler and cryptographic recommendations, and the SDL Developer Starter Kit.
- Security Tools recommendations have been consolidated for easier consumption.
- BinSkim has been introduced as a modern, more performant replacement for BinScope.
- Compiler recommendations have been updated to reflect built-in security protections and flags on-by-default in recent Visual Studio releases.
- Detailed Cryptographic Recommendations taken from Microsoft internal standards are now available for the first time – providing valuable guidance for developers looking to build cryptography into applications and services in line with Microsoft’s own practices.
- The SDL Developer Starter Kit has also received updated design and implementation training materials as well as security testing tools.
The SDL represents our strategic investment in improving security across the ecosystem and over the next few months we will make additional changes to the Security Development Lifecycle website. Check back for new content detailing how you can implement SDL in the world of Continuous Release/Continuous Development and Dev Ops.