Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Microsoft Security Development Lifecycle(SDL)

While all of us IT Professionals work hard to make the infrastructure as secure as possible, we largely have to live with the security we are given, be it in the operating system, attendant drivers, or applications.,

Of course it’s developers who create all of this software, and while this skill has not been on my CV for ten years I was interested in how security is baked into software like SQL Server 2008 and Windows. So  armed with a video camera I button-holed Glenn Pittaway, Group Program Manager of the Security Development Lifecycle (SDL) in Microsoft..


The SDL methodology is now at the core of all development work that has an internet facing element (i.e. virtually everything!) at Microsoft. You might argue that this gives this gives Microsoft developers an edge over the competition as they can write more secure code more quickly, however these same SDL resources are also publicly available.


Because security is only as good as the weakest link and because a user simply isn’t interested in the detail they just want to work, shop, search and love.  For example I saw that Adobe was having some issues with the alerts around updating applications based on AIR.  You would think this would cause a bit of mirth  amongst my fellow Micrsofties when in fact we would rather help Adobe resolve these kinds of issues so that security gets taken out of the equation to decide on what application to run and make Windows as safe and secure as possible.

So if you work with those developer types can I suggest that you point them to my 12 minute SDL video if they aren’t using it already, so that their stuff isn’t the weakest link in your organisation.