SDL-Agile: Microsoft's Approach to Security for Agile Projects
The Security Development Lifecycle (SDL) has been instrumental in reducing the number and severities of security vulnerabilities in Microsoft products, but historically, the SDL has been difficult to implement in Agile development environments. Core tenets of the SDL such as threat modeling and security incident response planning seem to be at odds with core tenets of Agile such as minimising documentation overhead and avoiding contract negotiation. Even more challenging is the fact that Agile teams use time-boxed release cycles often as short as one week, which does not leave much time for completing secure development activities. However, despite these challenges, the SDL and Agile can be made to work well together -- in fact they can actually work better together than they can separately. This session will detail the process changes that the SDL team has made to improve the applicability of the SDL to Agile development methodologies. We will discuss key challenges faced in adapting secure development practices to Agile and how they were overcome, and we will discuss inherent strengths of Agile that work exceptionally well with the SDL and can potentially lead to a best-of-both-worlds scenario.