1. Copyright © Microsoft Corp 2006 The Security Development Lifecycle Eric Bidstrup, CISSP Group Program Manager Security Engineering and Communication

2. 2 Copyright © Microsoft Corp 2006 Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution RequirementsDesignImplementationVerificationRelease Support & Servicing Security Deployment Lifecycle Tasks and Processes Threat Modeling

3. 3 Copyright © Microsoft Corp 2006 Very Encouraging Results! Windows 2000 vs Windows Server 2003 Office 2000 vs Office 2003 Windows XPSP1 vs Windows XPSP2 Exchange 2000 vs Exchange 2003

4. 4 Copyright © Microsoft Corp 2006 Very Encouraging Results! Over 50% reduction in vulnerabilities IIS5 vs IIS6 SQL Server 2000 vs SQL Server 2000 SP3 IE6 vs IE6 SP2

5. 5 Copyright © Microsoft Corp 2006 “We actually consider Microsoft to be leading the software [industry] now in improvements in their security development life cycle [SDL].” John Pescatore Vice President and Distinguished Analyst Gartner, Inc (From CRN, Feb 13 th 2006) Security Development Lifecycle Demonstrating Results http://tinyurl.com/rezjz

6. 6 Copyright © Microsoft Corp 2006 Secure Products requires Process Improvement Simply “looking for bugs” doesn’t make software secure You must reduce the chance defects are entered into the design and code Requires Executive commitment Education Ongoing improvement