Enter your mobile number below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices) 1st Edition

4.6 out of 5 stars 5 customer reviews
ISBN-13: 978-0735622142
ISBN-10: 0735622140
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
More Buying Choices
14 New from $71.47 21 Used from $5.83
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

Excel 2016 For Dummies Video Training
Discover what Excel can do for you with self-paced video lessons from For Dummies. Learn more.
click to open popover

Special Offers and Product Promotions

Editorial Reviews

From the Publisher

The software industry is clamoring to learn more about the SDL methodology. With insights direct from Microsoft’s security team, where these techniques have been developed and proven to help reduce code defects, this book premieres SDL to a worldwide audience and is the first to detail the methodology stage by stage.

Key Book Benefits:

• Delivers practical, proven advice from the experts for minimizing security-related code defects

• Details a methodology that can be applied to any development process, with outstanding results

• Includes a CD-ROM with video training classes for developers conducted by coauthor Michael Howard, a security program manager at Microsoft

About the Author

Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.

Steve Lipner, CISSP, is the senior director of Security Engineering Strategy for Microsoft. He is responsible for defining and updating the Security Development Lifecycle and has pioneered numerous security techniques. Steve has over 35 years’ experience as a researcher, development manager, and general manager in IT security.


New York Times best sellers
Browse the New York Times best sellers in popular categories like Fiction, Nonfiction, Picture Books and more. See more

Product Details

  • Series: Developer Best Practices
  • Paperback: 352 pages
  • Publisher: Microsoft Press; 1 edition (June 28, 2006)
  • Language: English
  • ISBN-10: 0735622140
  • ISBN-13: 978-0735622142
  • Product Dimensions: 7.7 x 1.1 x 8.9 inches
  • Shipping Weight: 1.5 pounds
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (5 customer reviews)
  • Amazon Best Sellers Rank: #516,603 in Books (See Top 100 in Books)

Customer Reviews

5 star
4 star
3 star
2 star
1 star
See all 5 customer reviews
Share your thoughts with other customers

Top Customer Reviews

Format: Paperback
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software.

"Security Development Lifecycle" (SDL) is unique because in many ways it exposes the guts of Microsoft's product development process. I cannot recall seeing another technical company share so much of its internal procedures with the public. One of the most interesting aspects of SDL is the attention paid to security after a product is shipped. No one at Microsoft breathes a sigh of relief when boxes appear on store shelves. Instead, Microsoft explains how it conducts security response planning in ch 15 and security response execution in ch 17. (Between the two is ch 16 -- only 3/4 of a page! Why bother?)

Although I liked SDL overall (enough to justify 4 stars), I thought it suffered three major problems. First, I don't think the audience was defined properly. p xviii mentions "managers" as the primary target, along with architects and designers. Specifically, "this is not a book for developers.
Read more ›
Comment 18 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
I have been very impressed with other offerings from the Microsoft professional series and was excited when this book was released. This is not a technical book like "Writing Secure Code" and "Code Complete" but a book aimed at managers responsible for software projects. My opinion is not based on real world experience of large software projects, but on academic projects smaller in scale than those of Microsoft.

The introductory material is weak, part 1 which explores the reasoning and history behind the SLD seemed to be stretched needlessly, repeating the same information multiple times. Chapter 4 which provides the management impact of the SDL lacks focus, and does not justify the need (ROI) for the SDL.

Part 2 goes though each step of the SDL in detail. Overall, this section is more polished and for the most part does a good job of covering each domain in detail. While this book is focused on managerial and operational activities, there are times where it awkwardly delves into specific technical details. Chapter 10 (Documents, Tools, Practices for customers) and chapter 15 (Response planning) are strong chapters which most everyone can lean from.

Part 3 is a series of reference materials. Chapter 20 (Crypto) and 21 (Compiler Options) are good guidelines to compare your organizations own practices against.
Read more ›
Comment 10 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
As is well known, Microsoft software has been known in the past for producing software that had numerous problems in the security area. It finally became so obvious that the company was forced to make a major change in emphasis regarding the security holes in their products.

Microsoft is, of course, a huge software development organization. To move the organization into writing more secure code it was necessary to develop plans, procedures, classes for managers and programmer and the like to implement writing more secure code. The resulting effort is called the Security Development Lifecycle (SDL).

The results of implementing SDL are summarized in the Introduction to the book. Here are two newspaper headlines quoted there:

Gartner Recommends Against Microsoft IIS (eWeek, 2001)

We actually consider Microsoft to be leading the software industry now in improvements in their security development life cycle (CRN 2006)

This book is aimed at the people managing and defining software projects. It does not contain very many specific code examples that would appeal to the developer. This is not to say that developers shouldn't read it, but that it is not a detailed techie document.

The CD that comes with the book includes several documents that extend the concepts talked about in the book and a six part security class video conducted by the authors.

One note of caution. This book is on the Microsoft approach to security. It's what they are doing. It works for them. But there are also other approaches such as that being implemented by organizations such as the US Government.
Comment One person found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse