Microsoft SDL: Vista Security Policy Website

Microsoft has officially debuted  the Security Development Lifecycle (SDL) website, which will serve as the main online presence for all SDL related communications and resources from Microsoft. “For several years now the SDL has been at the heart of Microsoft’s strategy for making security and privacy an integral part of the software development culture at Microsoft. […]

Microsoft has officially debuted  the Security Development Lifecycle (SDL) website, which will serve as the main online presence for all SDL related communications and resources from Microsoft.

“For several years now the SDL has been at the heart of Microsoft’s strategy for making security and privacy an integral part of the software development culture at Microsoft. As a result of the SDL, we have seen significant security improvements across many flagship Microsoft products including Windows, SQL Server and others. These security improvements have been widely recognized by security analysts, researchers and other experts,” stated David Ladd, Senior Security Program Manager on the Security Engineering Strategy Team.

SDL has its roots in Microsoft Chairman Bill Gates' Trustworthy Computing (TwC) directive which dates back to January 2002. However, the practice only started to be implemented a couple of years later, in 2004. Windows Vista was in fact the company's first operating system to be produced entirely under the SDL methodology. This has permitted Microsoft to claim the title of the most secure Windows platform to date for Vista.

“Despite the significant improvements and recognition, we believe that our connections to our broad technical audiences (developers and IT Pros) are not equating the SDL to the progress we have made with our technologies and services. Given that, our goal is to help illustrate SDL processes and tooling in a structured and consistent manner - by providing actionable guidance for the different job roles within a development organization,” Ladd added.