Appendix R: SDL-Agile One-Time Requirements

Title	Requirement/Recommendation	Applies to Online Services	Applies to Managed Code	Applies to Native Code
Avoid writable PE segments	Requirement	X		X
Create a baseline threat model	Requirement	X	X	X
Determine security response standards	Requirement	X	X	X
Do not use Visual Basic 6 to build products	Requirement	X	X	X
Establish a security response plan	Requirement	X	X	X
Identify primary security and privacy contacts	Requirement	X	X	X
Identify your team's privacy expert	Requirement	X	X	X
Identify your team's security expert	Requirement	X	X	X
Threat model your product, its attack surface, and its new features	Requirement	X	X	X
Use approved XML parsers	Requirement	X		X
Use latest compiler versions	Requirement	X	X	X
Use minimum code generation suite and libraries	Requirement		X	X
Configure bug tracking to track the cause and effect of security bugs	Recommendation	X	X	X
Designate full-time security program manager	Recommendation	X	X	X
Remove dependencies on NTLM authentication	Recommendation	X	X	X

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported