Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Jeremy Dallman here to let you know we have released our annual update to the Microsoft Security Development Lifecycle Process Guidance – version 5.2 (SDL 5.2). SDL 5.2 is now available for download (.docx format) as well as updated online in the MSDN library.
The changes in SDL 5.2 demonstrate how the Microsoft SDL evolves internally to address new attack vectors, provides guidance that leads to implementation of new protections, and improves the security of Microsoft products throughout our software development lifecycle. This public update of Microsoft’s SDL Process Guidance documentation is intended to provide transparency into how we implement the SDL at Microsoft.
The SDL 5.2 guidance may be a useful reference resource for organizations whose processes align with Microsoft’s processes or are looking for detailed information on how Microsoft implements SDL practices. However, if you are just beginning your investigation or implementation of the SDL, we encourage you to first read the Simplified Implementation of the SDL paper and some of the additional resources we make available on the Microsoft SDL website to begin building your own SDL framework.
Since this is a smaller “dot” release, we simply tagged each change within the paper so they can easily discovered searching in document for one of the following phrases: “New for SDL 5.2”, “Promoted for SDL 5.2” or “Updated for SDL 5.2”. The updated content in the MSDN library includes all updates automatically.
If you have any questions about the Microsoft SDL 5.2 Process Guidance, feel free to comment on this post or send us an email. We always enjoy hearing how the guidance and tools we provide help your organization adopt SDL practices.
It's taking too long to get the FAQ updated. Currently, it's pointing people to 5.1:
Thanks for your comment and interest Kenneth. Our FAQ page will be soon updated. Changes in 5.2 include clarifications to the Security Bug Bar, updated guidance on new exploit mitigations, and other attack surface reduction practices.