Security Development Lifecycle (SDL) and Microsoft Office 2010

Microsoft Security Development Lifecycle is a security assurance process focused on software development. The 2007 Office system was the first Microsoft Office release to include standardized SDL process throughout the product development life cycle. This paper summarizes how SDL process and additional security work that Office team carried out has dramatically improved the security of […]

Microsoft Security Development Lifecycle is a security assurance process focused on software development. The 2007 Office system was the first Microsoft Office release to include standardized SDL process throughout the product development life cycle. This paper summarizes how SDL process and additional security work that Office team carried out has dramatically improved the security of 2007 Office system software. There’re more than 50 requirements in SDL that apply to phases in development process: training, requirements, design, implementation, verification, release, and response (post-release). The requirements & recommendations of SDL aren’t static; they’re changed on a regular basis in light of emerging threats and improvements to supporting infrastructure, tools, and processes. In addition to passing the Final Security Review mandated by the SDL process, the Office 2010 team also met additional emerging SDL requirements such as integrating the improved integer overflow libraries, compiling with the enhanced GS flag, and executing a number of fuzzing iterations far beyond the SDL requirement. These were the most impactful of the additional SDL requirements met by Office 2010. The following image shows the phases in the SDL process:


How the Security Development Lifecycle Helped Improve the Security of the 2007 Microsoft Office System

Download: Office 2007 SDL Whitepaper | More info: How the SDL helped improve Security in Office 2010