Article

The Trustworthy Computing Security Development Lifecycle

Author:

Steve LipnerAuthors Info & Claims

ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference

Pages 2 - 13

https://doi.org/10.1109/CSAC.2004.41

Published: 06 December 2004 Publication History

Publisher Site

Abstract

This paper discusses the Trustworthy Computing Security Development Lifecycle (or simply the SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack.The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process.These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push".Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group.When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities.This paper describes the SDL and discusses experience with its implementation across a range of Microsoft software.

Cited By

View all

Reiche FWeber TBecker SWeber SHeinrich RBurger ECombemale BWimmer MChechik MEgyed A(2024)Consistency Management for Security Annotations for Continuous VerificationProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3652620.3687821(1096-1105)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3652620.3687821
Cheng RWang RZimmermann TFord D(2024)“It would work for me too”: How Online Communities Shape Software Developers’ Trust in AI-Powered Code Generation ToolsACM Transactions on Interactive Intelligent Systems10.1145/365199014:2(1-39)Online publication date: 9-Mar-2024
https://dl.acm.org/doi/10.1145/3651990
Wang RCheng RFord DZimmermann T(2024)Investigating and Designing for Trust in AI-powered Code Generation ToolsProceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency10.1145/3630106.3658984(1475-1493)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3630106.3658984
Show More Cited By

Recommendations

Security Maturity Self-Assessment Framework for Software Development Lifecycle
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Vulnerable software often originates from insufficient attention to security in the software development lifecycle. However, current maturity models provide limited support for the teams to assess the security maturity of their software development ...
Security in the software development lifecycle
SOUPS '18: Proceedings of the Fourteenth USENIX Conference on Usable Privacy and Security

We interviewed developers currently employed in industry to explore real-life software security practices during each stage of the development lifecycle. This paper explores steps taken by teams to ensure the security of their applications, how ...
Software development lifecycle models

This history column article provides a tour of the main software development life cycle (SDLC) models. (A lifecycle covers all the stages of software from its inception with requirements definition through to fielding and maintenance.) System ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference

December 2004

434 pages

ISBN:0769522521

Publisher

IEEE Computer Society

United States

Publication History

Published: 06 December 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Reiche FWeber TBecker SWeber SHeinrich RBurger ECombemale BWimmer MChechik MEgyed A(2024)Consistency Management for Security Annotations for Continuous VerificationProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3652620.3687821(1096-1105)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3652620.3687821
Cheng RWang RZimmermann TFord D(2024)“It would work for me too”: How Online Communities Shape Software Developers’ Trust in AI-Powered Code Generation ToolsACM Transactions on Interactive Intelligent Systems10.1145/365199014:2(1-39)Online publication date: 9-Mar-2024
https://dl.acm.org/doi/10.1145/3651990
Wang RCheng RFord DZimmermann T(2024)Investigating and Designing for Trust in AI-powered Code Generation ToolsProceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency10.1145/3630106.3658984(1475-1493)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3630106.3658984
Alzahrani AKhan R(2024)Secure software design evaluation and decision making model for ubiquitous computingComputers in Human Behavior10.1016/j.chb.2023.108109153:COnline publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.chb.2023.108109
Chimuco FSequeiros JSimōes TFreire MInácio P(2024)Expediting the design and development of secure cloud-based mobile appsInternational Journal of Information Security10.1007/s10207-024-00880-623:4(3043-3064)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00880-6
Patnaik NDwyer AHallett JRashid A(2023)SLR: From Saltzer and Schroeder to 2021…47 Years of Research on the Development and Validation of Security API RecommendationsACM Transactions on Software Engineering and Methodology10.1145/356138332:3(1-31)Online publication date: 27-Apr-2023
https://dl.acm.org/doi/10.1145/3561383
Braz LBacchelli ARoychoudhury ACadar CKim M(2022)Software security during modern code review: the developer’s perspectiveProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549135(810-821)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549135
Ezenwoye OLiu YOgden CGamess E(2022)Integrating vulnerability risk into the software processProceedings of the 2022 ACM Southeast Conference10.1145/3476883.3520217(91-98)Online publication date: 18-Apr-2022
https://dl.acm.org/doi/10.1145/3476883.3520217
Ankele RMarksteiner SNahrgang KVallant H(2019)Requirements and Recommendations for IoT/IIoT Models to automate Security Assurance through Threat Modelling, Security Analysis and Penetration TestingProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3341482(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3341482
van der Linden DRashid A(2019)The Effect of Software Warranties on CybersecurityACM SIGSOFT Software Engineering Notes10.1145/3282517.330239843:4(31-35)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3282517.3302398
Show More Cited By

Abstract

Cited By

Recommendations

Security Maturity Self-Assessment Framework for Software Development Lifecycle

Security in the software development lifecycle

Software development lifecycle models

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations