Blog Series: Get Familiar with the SDL-LOB (Security Development Lifecycle for Line-Of-Business Applications) Process

Hello, Anmol Malhotra here. I’m a Senior Security Engineer with ACE Team, a part of Microsoft IT Information Security group. I’d like to introduce you to the Security Development Lifecycle for Line-of-Business Applications (SDL-LOB) process.

As part of our continued commitment towards sharing security processes and recommendations with our customers, we’re excited to announce the addition of detailed security requirements and recommendations for LOB (line-of-business) applications with the release of Microsoft SDL version 4.1 on MSDN.

SDL-LOB provides a mainstream approach to the SDL which focuses on development of applications that support the business such as accounting, human resources (HR), payroll, supply chain management and resource planning applications, etc. The SDL-LOB guidance is positioned exclusively for LOB applications or web applications; and not for ISV/rich client and server application development.

Here’s an overview of SDL-LOB process. High level tasks performed in each stage are listed in the table below:

Dd831970.SDL Lifecycle(en-us,MSDN.10).png

Training Requirements Design Implementation Verification Release

LOB-specific training

Risk assessment

-Application portfolio

-Application risk assessment

-Determine service level

Asset-centric threat modeling

-Threat model

-Design review


Internal review

-Incorporate security checklists and standards

-Conduct “self” code review

-Security code analysis

Pre-production assessment

-Comprehensive security assessment

-Bug tracking

Post-production assessment -Host level scan



It is important to note that organizations should adapt rather than adopt “Microsoft SDL-LOB” process.Organizations are unique – given that fact we should expect and plan for differences in resources, executive support and security expertise.

Some of the highlights of SDL-LOB are:

  • To weave security in SDLC by embedding various milestones/checkpoints in each of the phases.
  • Identifying security vulnerabilities early in the development cycle and thereby improving the overall design.
  • To enable effective application risk management from strategic, tactical, operational and legal perspective.

At Microsoft, all line-of-business application development teams must go through the SDL-LOB process and if they fail to do so, the application cannot go live. Enforcement of the SDL-LOB process attributes to its success.

In this blog series I’ll discuss the highlights of each of the phases in SDL-LOB. Next time, I’ll go over Phase 1: Risk Assessment for LOB. In the mean time get familiar with the SDL-LOB here.

-Anmol Malhotra
Senior Security Engineer
ACE Team