Microsoft SDL Optimization Model

Having been preparing for the CSSLP examination, I downloaded the Microsoft SDL Developer Starter Kit to study. SDL (Security Development Lifecycle) is a Microsoft proprietary methodology to incrementally, consistently, cost-effectively apply and improve the existing software development process. Microsoft claims that SDL can be applied to any kind of SDLC, ranging from waterfall to agile. The goal is to reduce customer risk.

In SDL, there is a Microsoft SDL Optimization Model that can be used by IT managers and decision makers to assess the state of the security of their development organization with the use of four maturity levels.

1. Basic - Security is reactive; Customer Risk is undefined.
2. Standardized - Security is proactive; Customer Risk is understood.
3. Advanced - Security is integrated; Customer Risk is controlled.
4. Dynamic - Security is specialized; Customer Risk is minimized.

The optimization model enables the development organization to create its own roadmap in five software development capability areas to transit to attain the highest maturity level.

1. Training, Policy, and Organizational Capabilities
2. Requirements and Design
3. Implementation
4. Verification
5. Release and Response

The activities in each of the five capability areas are defined by Microsoft who also recommends a four-phase approach for the implementation of each activity.

In fact, Microsoft SDL is a quite complete methodology suitable for software product development. I am still not sure if it would be appropriate for bespoke software projects. Let me revisit this later.