Microsoft first mandated use of Security Development Lifecycle (SDL) in 2004. Now, SDL underpins our Secure Future Initiative (SFI) and supports SFI’s goals of secure by design, secure by default, and secure operations. The SDL is a proven, adaptable approach we apply to building secure products and services.
In this video, Tony Rice, principal security program manager in the Office of the CISO, discusses the teams and organizational systems that help define and adapt security requirements that are applied across the enterprise. You’ll hear about how teams work together to embed security into engineering workflows and scale assurance through automation, secure defaults, and data driven KPIs. We seek to continuously monitor and improve security by applying both automated controls and use of human-driven security reviews.
“This isn’t just about ticking boxes. It’s about making sure that security is embedded in every stage of development and operation,” says Rice.
Learn from our experience
Key takeaways
Here are some practices to socialize in your organization as you seek ways to embed “security first” thinking in your organization:
- Inventory, deeply and regularly. Create and review regularly an accurate, complete and categorized inventory of development assets at your company. This practice provides the foundation for automation without knowing what we have.
- Invest in scaling assurance functions. Having security policies is not enough. It takes time, attention, and effort to define processes and build technical control automation.
- Shift left. “Shifting left” means not waiting until a service or feature is nearly done to consider security requirements. Consider ways to integrate meeting security requirements in the work developers do every day.
- Have humans review. Prioritize human-driven security reviews on the businesses most critical scenarios and assets.
- Measure your organizational progress. The best way to know if you are succeeding is to measure your progress against your organization’s security requirements. Incremental improvements in measurement and remediation drives real security outcomes.
Try it out
- Explore actionable patterns and practices from the Secure Future Initiative (SFI).
- Learn about the role of UX as part of a security strategy.
Related links
- Read about how to evolve your security practices for an AI-powered world.
- Learn how we’re protecting AI conversations at Microsoft with Model Context Protocol security and governance.
- Explore best practices for conducting security risk reviews.
- Check out this overview of the core phases of SDL assurance at Microsoft.
- Get more SDL guidance and documentation you can adapt for your organization.
- Find out how to implement SDL practices.
- Learn about the practices of the SDL, and how to implement them in your organization.
- Read our announcement of new security tools and capabilities.
