- Explore more great deals on thousands of titles in our Deals in Books store.
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices) 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
Excel 2016 For Dummies Video Training
Discover what Excel can do for you with self-paced video lessons from For Dummies. Learn more.
Customers Who Bought This Item Also Bought
Special Offers and Product Promotions
From the Publisher
Key Book Benefits:
Delivers practical, proven advice from the experts for minimizing security-related code defects
Details a methodology that can be applied to any development process, with outstanding results
Includes a CD-ROM with video training classes for developers conducted by coauthor Michael Howard, a security program manager at Microsoft
About the Author
Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.
Steve Lipner, CISSP, is the senior director of Security Engineering Strategy for Microsoft. He is responsible for defining and updating the Security Development Lifecycle and has pioneered numerous security techniques. Steve has over 35 years’ experience as a researcher, development manager, and general manager in IT security.
Top Customer Reviews
"Security Development Lifecycle" (SDL) is unique because in many ways it exposes the guts of Microsoft's product development process. I cannot recall seeing another technical company share so much of its internal procedures with the public. One of the most interesting aspects of SDL is the attention paid to security after a product is shipped. No one at Microsoft breathes a sigh of relief when boxes appear on store shelves. Instead, Microsoft explains how it conducts security response planning in ch 15 and security response execution in ch 17. (Between the two is ch 16 -- only 3/4 of a page! Why bother?)
Although I liked SDL overall (enough to justify 4 stars), I thought it suffered three major problems. First, I don't think the audience was defined properly. p xviii mentions "managers" as the primary target, along with architects and designers. Specifically, "this is not a book for developers.Read more ›
The introductory material is weak, part 1 which explores the reasoning and history behind the SLD seemed to be stretched needlessly, repeating the same information multiple times. Chapter 4 which provides the management impact of the SDL lacks focus, and does not justify the need (ROI) for the SDL.
Part 2 goes though each step of the SDL in detail. Overall, this section is more polished and for the most part does a good job of covering each domain in detail. While this book is focused on managerial and operational activities, there are times where it awkwardly delves into specific technical details. Chapter 10 (Documents, Tools, Practices for customers) and chapter 15 (Response planning) are strong chapters which most everyone can lean from.
Part 3 is a series of reference materials. Chapter 20 (Crypto) and 21 (Compiler Options) are good guidelines to compare your organizations own practices against.Read more ›
Microsoft is, of course, a huge software development organization. To move the organization into writing more secure code it was necessary to develop plans, procedures, classes for managers and programmer and the like to implement writing more secure code. The resulting effort is called the Security Development Lifecycle (SDL).
The results of implementing SDL are summarized in the Introduction to the book. Here are two newspaper headlines quoted there:
Gartner Recommends Against Microsoft IIS (eWeek, 2001)
We actually consider Microsoft to be leading the software industry now in improvements in their security development life cycle (CRN 2006)
This book is aimed at the people managing and defining software projects. It does not contain very many specific code examples that would appeal to the developer. This is not to say that developers shouldn't read it, but that it is not a detailed techie document.
The CD that comes with the book includes several documents that extend the concepts talked about in the book and a six part security class video conducted by the authors.
One note of caution. This book is on the Microsoft approach to security. It's what they are doing. It works for them. But there are also other approaches such as that being implemented by organizations such as the US Government.
Most Recent Customer Reviews
Well ten with many excellent examples.
This is the place to start if you're interested in developing secure software or reviewing systems for security and re3liability.