Introduction to Microsoft Online Services security development and operation

  • 5 minutes

Microsoft's Security Development Lifecycle (SDL) is a security assurance process focused on developing and operating secure software. The SDL provides detailed, measurable security requirements for developers and engineers at Microsoft to reduce the number and severity of vulnerabilities in our products and services. All Microsoft Online Services must follow SDL requirements, and we continuously update the SDL to reflect the changing threat landscape, industry best practices, and regulatory standards for compliance.

Phases of Microsoft's SDL

Microsoft has built SDL practices into the DevOps model to ensure security and privacy remain a core focus of our products and services. To safeguard customers and Microsoft Online Services data, all development at Microsoft takes place in development environments completely segregated from production environments without any access to customer tenants. In addition, access to production environments is limited to engineers operating the services, and these environments are segregated from the Microsoft corporate network.

A process flow of SDL starting with training, requirements, design, implementation, verification, release, and response.

The SDL process at Microsoft can be thought of in terms of five phases of development:

  1. Requirements: Security, privacy, and functional requirements are defined, serving as the foundation on which the service is designed.
  2. Design: The service architecture is designed to meet the defined requirements, and threat models are created to help identify, categorize, and rate potential threats.
  3. Implementation: Code is written following the defined design specifications using approved secure development tools.
  4. Verification: The service code is both automatically and manually reviewed to ensure it meets the defined requirements and is free of coding errors and security flaws.
  5. Release: The approved build is gradually rolled out using a safe deployment process, beginning with internal test environments, and ending with the full production scope.

In addition to the five core development phases described above, there are two related security activities that support the SDL. Microsoft personnel who develop our products and services are required to complete security-oriented training to understand the SDL and cultivate a defensive mindset. After release, new production services are monitored via Microsoft's security monitoring and vulnerability management processes to ensure their security posture is maintained and Microsoft can respond to potential threats throughout its lifecycle.

In the units that follow, we will explore how Microsoft implements SDL requirements by:

  • Requiring training for security awareness and secure development practices.
  • Defining security and privacy requirements, maintaining up-to-date threat models, and requiring manual code review.
  • Running SDL tools automatically to detect security issues in the code as part of the build process.
  • Enforcing and testing operational security requirements to maintain security best practices.
  • Performing security and privacy reviews prior to release.
  • Using Component Governance (CG) to manage open-source software.

Learn more