Appendix R: SDL-Agile One-Time Requirements

  • Article
Title Requirement/Recommendation Applies to Online Services Applies to Managed Code Applies to Native Code
Avoid writable PE segments Requirement X X
Create a baseline threat model Requirement X X X
Determine security response standards Requirement X X X
Do not use Visual Basic 6 to build products Requirement X X X
Establish a security response plan Requirement X X X
Identify primary security and privacy contacts Requirement X X X
Identify your team's privacy expert Requirement X X X
Identify your team's security expert Requirement X X X
Threat model your product, its attack surface, and its new features Requirement X X X
Use approved XML parsers Requirement X X
Use latest compiler versions Requirement X X X
Use minimum code generation suite and libraries Requirement X X
Configure bug tracking to track the cause and effect of security bugs Recommendation X X X
Designate full-time security program manager Recommendation X X X
Remove dependencies on NTLM authentication Recommendation X X X

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.

This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft Corporation. All rights reserved.

Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported