The Story Behind the Microsoft Security Development Lifecycle

The Story Behind the Microsoft Security Development Lifecycle

If you've been around the tech profession for very long you might remember the early days of Microsoft software when software security was an afterthought because electronic felons were just cutting their teeth. Over time hackers and malware writers have become extremely resourceful and insolent, but there was a time before zero-day flaws, drive-by-exploits, botnets, and worms. Today, we are accustomed to patching Microsoft products once a month. It's become part of the overall process for protecting business assets. Today, it's easy to forget that there actually was a beginning.

For those that remember, the Code Red worm caused worldwide panic in 2001 and was one of the first true, mass impact exploits in Microsoft software. Targeting the IIS web server it infected over 359,000 hosts. The following months resulted in even deeper exposure as new worms and viruses released to take advantage of more holes in Microsoft software. As 2001 lumbered on it became clear that virus writers' intent was to specifically target Microsoft products due to the company's reach and proliferation in the market.  Code Red was followed by new exploits with names like Nimda, Code Red II, MyDoom, and Sasser.

Code Red was the wake-up call for Microsoft and in February 2002, based on a memo from Bill Gates that first coined the phrase "Trustworthy Computing," Microsoft shutdown Windows development for the first time ever to get a handle on the security issues the products were facing. During this lull in Windows development, the Microsoft Security Development Lifecycle (SDL) was born. SDL is still in use today and affects each and every Microsoft product, putting security before features and enhancements. Microsoft was truly the pioneer in this area.

It's a great story, and Microsoft has put together a special, interactive web site that steps through the entire tome of history and knowledge about how SDL came to be. Through text, video, and pictures learn the 7 phase of SDL: Training, Requirements, Design, Implementation, Verification, Release, and Response. And, along the way meet some of the people instrumental in developing the mindsets and processes that we all use today.

The site is here:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.